Web services is a distributed application integration technology emerging rapidly in recent years , by many advantages of its loosely coupled, cross-platform and programming language independent and easy to deploy, discover and invoke, in many areas, especially e-commerce applications to play an increasingly important role. However, the application of Web services also face enormous security challenges, many security policies and solutions have some flaws, not enough to protect the security of Web services communications. In this paper, using WS-Security specification, SAML , XACML and other security technologies to build a secure communication model based on SOAP extension.First,this paper described characteristics of the Web services structure and support protocol, to analysis existing security threats and security needs of Web services, and conducted existing Web services security specifications: WS-Security specification, XML Encryption, XML Signature, XKMS , SAML and XACML in-depth analysis. Then designed a secure communication model using these Web services security specifications based on the features of SOAP message transmission, the secure communications model by signing SOAP messages, encrypt and add timestamps approach, combined with the user token authentication, authorization and access control operations to ensure that the requester and provider of web services end to end secure communications between the message and realized the Web service communication data integrity, confidentiality, non-repudiation, and user authentication and authorization features. Finally, this paper designed a staff information inquiry service system, on the proposed communication model of Web services message security to give examples of applications, and gives each of the implementation process of a secure link. |