| Web Services, the new generation method for platform-independent distributed computing, which are popular and widely used in many fields, have the following benefits including suitable to integrate completely different computing systems, fast and cheap to develop and easy to deploy. However, they still face technology challenges from many aspects, among which secure is the most important one.As a typical distributed application, Web Services have the security requirements including confidentiality, integrity, authentication, non repudiation and authorization. At the same time, theirs own characteristics, such as dynamic interaction and multiple participators bring new challenges to the security issues. In many cases, existing secure transport solutions such as SSL/TLS and IPsec give a good solution for secure transport of SOAP messages, however not always. SOAP messaging is specially designed with intermediaries. So Web Services demand end-to-end message level security. On the other hand, its inherent heterogeneity, dynamic and distribution make authorization control more difficult. Often, there is no trust relationship between user and services providers. Traditional access control model has shortcomings, So Web Services demand a more suitable way for access control.This thesis points out the differences and requirements of Web Services security, and analyses shortcomings of existing security technologies. Based on the research of Web security Specifications, it put forwards a message level security model for the typical Web Services application. The model implements security mechanism in SOAP. It provides both security transport of SOAP messages and an access control security. The model uses XKMS as a replacement of PKI and SAML assertion to exchange authentication as well as authorization information of users. The implement of the model depends on a message processing security model and an access control model. Message processing security model supplies message processing layers to setup a security context and add security information for authentication and authorization. It can provide transparent security services for Web Services. Access control model adopt Attribute-based access control and XACML as policy language. It can provide access control across trust domain based on SAML assertion and takes Web Services parameters into account. Also, the thesis establishes the mapping between XACML and access control model. The access control model is flexible and scalable.Furthermore, on the basis of security model, combined with a simple scenario of Supply Chain Management application, this thesis describes a security framework oriented J2EE platform and Axis soap server. A series of security handlers are designed to ensure the confidentiality and integrity of Web Services and provide mechanisms such as authenticate, access control and audit. Besides, it describes access control mechanism in the framework, which is designed according to the access control model.At last, the realization method of security handlers and components for access control and... |
PDF Full Text Request