Research On Secure Mechanism Of Web Service Based On Analysis Of Information Flow

In recent years, with the rapid development and increasing maturity of web service, its application area is expanding gradually, and the confidential data it involves is also increasing rapidly. All these show the importance of web service security. Thus in order to protect security, SSL/TLS is used to protect information security in transport layer. WS-Security specification is taken to protect information security in end-to-end message layer. It adds security features into SOAP header to ensure confidentiality and integrity of message. However, there are lots of security flaws in the SSL/TLS, while using WS-Security requires complicated configuration and management, and thus the overhead of the system is too large. Besides, web service may have potential vulnerabilities itself, for example, insecure information flow in source code of service. Using the two methods above could not effectively ensure security of source code.This thesis protects web service security from the perspective of information flow. Web service is implemented by programming language before it is published. There is information flow in the source code of service. The research content of this thesis is how to protect the security of web service's source code. First, this thesis puts forth the normal procedure of implementing the confidentiality and integrality by using information flow technique. And then a detailed analysis procedure is given on an instance of program, based on which an automatic and safe publishing tool is developed. The tool finds confidential data in source code and adds label to the data for defining its principal. Confidential policy and integrality policy are defined on the basis of security requirements to confine operation on the data. The tool invokes the Jif compiler to compile the modified code and publishes service by putting the compiled class file into designated directory. Finally, services implemented using Java and Jif are tested through browser, soapUI and client's programs. The testing results show that only the service using Jif security mechanism can protect security of source code. It prevents attackers from illegal reading and writing data, and thus ensures web service security before it is published.