SDO's Security Analysis And The Solution To Its Some Problems In The SOA-SCA Environment

SOA is the abbreviation of Service Oriented Architecture. SOA is awhole group of distributed software system construction approach andenvironment which includes running environment, programming model,architecture style and related theory. It includes the whole lifecycle ofservice: modeling, development, integration, deployment, running andmanagement. In all, SOA is the construction approach of distributedsoftwaresystemandthenewstageofenvironment.Comparedtotraditional application,what SOAconsiders is inwhat wayand how to expose service and which services will be exposed, in this way,when creating a new application, we can integrate the old systems toprovide services, if using the old approach, we may have to develop thisservice,everythingisstartfromzero.In traditional enterprise's architecture environment, the application isdeveloped mainlyfor end users. There are manyways in which applicationsinteract with each other: through database, through remote procedure call,throughfileandsoon. Mostofapplication'susers arepeople,thetraditionalapplication has ignored the way to expose current application's services toother applications. What is worse, the standards which are used duringcreating the application is not suitable for this new request. There is not agood way to satisfy enterprises when they want to integrate multipleapplications to meet their changed requests. The result of the traditionalsystem's architecture is the reuse of current application is verytime-consuming and costly, that is to say, integration between differentsystems is very difficult, but we have lots of such requests to integratedifferentsystems.In order to avoid the shortcomings of traditional system architecture,SOA is born, in SOA, service is the key abstract approach, business isdividedintoaseries of"large"businessservicesandbusinessprocesses.Business service is relatively independent, self-included, reusable and is implementedbymultipledistributedsystems. Business process is composedof services. One service has defined its interface which is related to itsbusiness functionality and business data, it also has defined the policy torestrict this interface, such as service quality request, business rule, servicerequest, the law abidance and the key business indicator. The interface andpolicyis defined in a neutral and standard way, theyare also independent ofthe hardware platforms, OS and programming languages. This makes itpossible for different systems to interact with each other in a uniform way.Besides, SOA uses Service Registry and Enterprise Service Bus to sustaindynamic query, orientation, route and mediation. This makes it possible thatthe interaction between services is dynamic and service provider's place istransparent. Due to the transparence of technology and location, this makesit possible for service requester to decouple its service provider in a goodway.Thiscanbringtwo benefits:oneis thatitis agileforchange,anotheriswhen one service's inside structure and implementation has changed, it willnot impact other services. But tight coupling means the component'sinterfaceis greatlyrelatedwiththis component's functionalityandstructure,so when change occurs, one part's change will yield other and even allapplication'schange,sothearchitecturelikesoisverybrittle.In all, the main benefits of SOA are IT can provide better businessvalues more quickly, the system's architecture can adapt to changes morequicklyandthesystem'sservicesaremorereusable.The concept of SOA is relatively abstract. To let customers use thisservice orient architecture more easily, IBM has brought forward a newservice component model. It is a new programming model independent ofprogramminglanguages,Itprovidesauniforminvokingstyle.Soclientscanencapsulate and invoke various of components including POJO, EJB,business process and human task through standard interfaces. This newservice oriented programming model can greatly relieve customer'sprogramming effort and provide application's flexibility, it is called SCA(Service Component Architecture). The purpose of SCA using interactions between service components is to hide various of detailed technologieswhen constructing enterprise applications. In this way, the enterpriseapplication architecture will bedividedintomultiplelayers andthebusinesslogic will be separate from ITlogic in a good manner, the result is it is veryeasy to construct new applications and the change and deployment ofapplicationsisalsoveryeasy.It is becoming more and more important when accessing different datasources, SDO is an application programming interface, SDO can be used tosimplify and unify heteronomous data's access. Currently data is distributein different data sources, such as database, web service, LDAP and legacyapplication. This complexity makes programmers have to learn lots of APIsuch as JAVA, JDBC, JAX-RPC. SDO has simplified and supplementedJ2EE's design patterns, It has provided a special way to accessheteronomousdatasourcesanditcanalsobeusedforotherpuposes.Most of traditional applications is just like an integration circuit. So ithas reduced the possibility and complexity about the interactions betweenmachine and machine. If a company wants to develop an SOA applicationwithout considering its security mechanism, the unlawful users canpenetrate into the system and escape the security check. Because currentsystem's services are exposed in a standard way, the system's securitymechanism does not exist or it is coarse grained. When we describe asystem is coarse grained, that means its ability to find the imperceptiblesecuritydifferenceisverylimited.IntheSOAenvironment,thedatasent tooneenterprisewill probablybeforward to another enterprise, so we must provide a good data transfermechanism to prevent the data filched on the transfer channel between oneenterprise and another enterprise. As the boundary of application andenterprise is not the obstacle for service reuse now in SOA, the traditionalsecurity policy will not function and we need to re-consider how tostrengthen the data transfer security mechanism. Below is the classificationofdatasecurityproblemwhichhasbeencoveredinthispaper. 1. data confidentiality: ensure the confidential data can not be filched,even though the data is filched, unlawful user can not get its plaindata. What they get is the encrypted data. Only the lawful users cangettheplaininfooftheconfidentialinformation.2. data integrity: ensure data can not be changed during the transferjourney. If the data has been tampered, the receiver has the abilitytodetectthis.3. datasignature: thesenderorreceiver cannot denythe data whichhehasoncesentorreceived.Now we can use the message-level security technology to protect ourSOA, these technologies include data encryption, data decryption, digitalsignature and certificate. If we wan to make sure the securityof our SOAisrobust and any unlawful third-party can not get the plain info of theconfidentialdatainSDO,wemustusethepublickeyencryption/privatekeydecryption technology to protect our SOA. If we want to make sure theSDO data can not be tampered during the transfer journey and the serviceinvoker can not deny the service requests which he has made and can notdeny the SDO service request data which he has sent, we must use themessage digest, private key signature, signature verifying using public keytechnologiestotheSDOdatatoprotectourSOA.ThispaperhasdesignedtheSDOdata'sconfidentialitysecuritysolution,SDO data's integrity security solution, SDO data's non-repudiation securitysolution in the SOA-SCA environment. Then design a business process,afterwards design this business process's SDO data's security solution,finallyhave a detailed analysis to the designed SDO data's securitysolutionto make sure the design goal of SDO's data confidentiality, data integrity,data non-repudiation has been reached when SDO data will be transferredmanytimesintheSOA-SCAenvironment.As the speed of encryption using public key, decryption using privatekey, signature using private key and signature verifying using public key isslow, these technologies are not suitable for processing large data. So the SDO data's security solution will not deal with all of the SDO data, insteadit onlyprocesses the confidential data in SDO. This will bring two benefits:one is the speed of the security solution will not slow down as the quantityof data to be delt with is large, another is the SDO data which has beenprocessed by the secutity solution is still base on SDO format, it is stillbased on open standards. Once the receiver receives this SDO data whichhas been processed by the security solution, it can still use SDO's openstandardstoanalyzeand"consume"thisSDOdata.Finally,theSDOdata'ssecuritysolutionhasbeenimplementedbyWID,WPS which are development tools based on SOA, SCAand the author hasdonetheimplementation'sfunctionalitytestandperformancetesttovalidateitsperformanceandcorrectness.