Research And Implementation Of Web Services Security Model Based On SOAP Message Extension

Web Services is a new standard for distributed computation, which has characteristics of platform independency and language independency. Web Services has wide market and lure future, as to be the core of dynamic electronic business in new generation, it also brings new light for enterprise integration. However, more and more data and information will be exposed to Internet because of Web Services'infinite openness. But, security problems had not to be taken in account for simpliness and ease of use when SOAP was proposed. Currently, rapid development of Web Services is severely restricted by security problems of Web Services. So, to propose security model and to establish effective solution is of great importance to rapid development of Web Services.This Thesis first analyzes shortcomings of existed Web Services technologies, and then via deep research of security specification of Web Services, based on SOAP extension, constructs a Web Services security model. It depends on a message processing security model and an access control model. Message processing security model encrypts and signs SOAP message needed to be protected by XML encryption and XML signature mechanisms in WS-Security. In order to prevent from playback attack, security properties are added to message, such as timestamp etc. In addition to that, the message processing security model also supports for adding SAML assertion in SOAP message in order to provide authentication in multiple security domains. With attributes got from message processing security model, environment attributes and attributes of Web Services, based on attribute, access control model uses XACML to authorize users'request, thereby having good extension and dynamic adaptability.Then, based on the previous Web Services security model, on J2EE platform, a security framework based XFire SOAP engine is designed. The framework comprises a series of security handlers, with SOAP engine and provides security function such as encryption, signature, and authentication in multiple security domains via configurable way. Besides security handlers, this thesis also designs access control mechanism according to access control model.Lastly, in computer adaptive practice security scenario, this thesis implement and test the security process framework and access control model with related technique. Then, on kinds of data quantity condition, compare performance of the framework with security framework based on Axis SOAP engine, testing data shows that previous performance is more excellent than last. Last farther analyze the security framework performance.