Web Services Security Submitted to Dr. Stefan Robila As Part of CMPT-585, Final Project By Nagalakshmi Kohareswaran Shilpa Venugopal Department of Computer Science Montclair State University Montclair, NJ Fall 2005Web Services Security 1. Abstract Web Services are emerging as an important technology for enabling various forms of information services across programming languages and platforms. Web Services enable applications to communicate more effectively without having to work out the underlying mechanics of the communication. A key benefit of the Web Services architecture is the ability to deliver integrated, interoperable solutions. Interoperability among these applications is ensured through the use of standards such as SOAP, XML, and WSDL. This paper starts with a brief description of what web services are and the scenarios in which web services find their use. It describes the security requirements of web service applications and how they are greater than traditional e-commerce over the Internet. It attempts to analyze the security standards associated with Web Services in general, and how they are related to each other and how they coordinate to form the modules of the web services security architecture. 2. Introduction In the modern days the organizations have started relying a great deal on the IT infrastructure to carry out their business processes and manage their resources. Companies deploy customized applications to manage the functioning of different departments. These applications need to be integrated with each other for consolidated decision-making, accurate system information, better performance and monitoring. There are technologies available that help in integrating these custom applications within an enterprise. Enterprise Application Integration (EAI) is one of such processes that create an integrated infrastructure within an enterprise. EAI enables the development of software that sit between these applications within an enterprise and help them function in harmony. In many scenarios, integration within the enterprise is not sufficient. The organizations need to integrate applications across enterprises. For example they may need to integrate applications with their partners, customers and suppliers. Although cross-enterprise integration is very vital it may have many security implications. Since the information is exchanged over the Internet they may be exposed to malicious attacks. Also, all the information offered by companies on the Internet may not have the same level of business confidentiality. Some of the information offered may be meant to be available publicly while the others may be meant for the company’s partner companies. Companies secure their resources available on the Internet by defining business roles, access rights and system policies. One of the ways of doing this is by means of network level firewalls. Firewalls have the following functions: • To monitor all the incoming traffic• To check the identity of the information requesters • To authenticate users based on their identities, which can be the network addresses of the service requesters or security tokens. • To check security and business policies to filter access requests and verify whether the service requester has the right to access the intended resource. • To provide for encrypted messages in order to secure confidentiality of business information that is to be sent across the Internet privately. The next issue in cross enterprise integration is the need for interoperability between the various systems involved. The companies involved may not have control over or may not even know much about the infrastructure of the partner companies. One of the companies could be using Java over Solaris servers and another could be using .NET or some other technology. It may not be feasible to agree upon messaging formats for exchange of information and interoperability. This would involve an endless task of designing and redesigning message formats for each partner company. To resolve this problem many applications shift from legacy integration to Service Oriented Architecture (SOA) provided by web services. Service Oriented Architecture consists of applications that can be called externally. It provides remote invocation functionality to service classes. Services in SOA are similar to classes in object-oriented languages. These service classes implement the business logic. The functionalities of these classes are exposed by hosting them on the SOAP server. The SOAP server works over HTTP. SOAP uses XML to specify remote method invocation calls. Most of the web services have some methods that are meant to be available publicly and some that are strictly private between the partner companies. The SOAP server cannot provide security by itself. The SOAP server maintains only the information related to the web services it is hosting, like the names of the services, names of the methods in each service, location of the classes that implement the web services and more. But the SOAP server does not have the capability to check whether the incoming SOAP request is coming from an anonymous customer or a partner company. It does not perform user authentication, authorization and access control. A remote client that has accessed a SOAP server can invoke any method of any service hosted on that SOAP server. Even a network firewall will not be able to distinguish between a customer and a partner once it has reached a SOAP server. There are two solutions to this problem. One is to use a different SOAP server for each level of sensitivity, so that different authentication policies can be enforced on each sensitivity level. But this method would make the web service infrastructure very complex, making it very hard and expensive to build. The second solution is to make the firewall XML and SOAP aware. The firewall will be able to inspect the SOAP messages and try to match the user roles with the access lists, policy levels etc. The web service