Semantic Security Architecture for Web Services

The shift from mere service-oriented architectures (SOA) to semantically enriched approaches is especially being forced in multi-domain environments that the public sector in the European Union is an example for. The security aspect is lagging behind its possibilities, and new access control approaches native to the semantic environment need to be applied. Based on architectural research work conducted within the EU-funded research project Access-eGov, we outline our implementation of a semantic security architecture for web services by using industry-standard technologies and combining them with semantic enhancements.

Nowadays, public administrations all over the world are being confronted with the ever growing challenge to deliver their services electronically and, especially in the European Union, are required by the so-called Services Directive[1] to do this across their own legal boundaries. Challenges to this vision mainly arise from the semantic gap between the service descriptions, resulting in high entry thresholds to implement those collaborative systems. In enabling semantically enriched service-oriented architectures (SSOA), Access-eGov saw its main field of research.

1) WS-Security: WS-Security [7] is an open standard that specifies how security related meta-data should be incorporated into SOAP messages. WS-Security does however not define security models, mechanisms or technologies but rather defines how existing approaches should be applied to SOAP messages to ensure interoperability among different implementations and languages. For that purpose WS-Security defines several basic elements for the SOAP headers to hold security information. Several additional profiles for security tokens have been specified so far, such as the UsernameToken Profile [8], or the X.509Token Profile [9]. For the security infrastructure of Access-eGov the SAMLToken Profile [10] is the most relevant one as it allows integrating SAML assertions in the SOAP header. The WS-Security standard and its token profiles are currently supported by several web service frameworks such as Apache Axis 2 and its security module Rampart, Sun Metro and its security component WSIT or Apache CXF

Free download research paper