This article analyses two most commonly used distributed models in Java: Web services and RMI (Remote Method Invocation). The paper focuses on regular (unsecured) as well as on secured variants, ...WS-Security and RMI–SSL. The most important functional differences are identified and the performance on two operating systems (Windows and Linux) is compared. Sources of performance differences related to the architecture and implementation are identified. The overheads related to the usage of security and the influences of JCE (Java Cryptography Extension) security providers on the performance of secured remote invocations are identified. Finally, the impact of distributed models on design and implementation of distributed applications is identified and guidelines for improving distributed application performance in design and implementation stage are provided. The paper contributes to the understanding of functional and performance related differences between Web services and RMI and their secure variants, WS-Security and RMI–SSL.
There are more and more scenarios requiring the transparent integration of heterogeneous security services in order to facilitate application development, simplify deployment and provide a seamless ...user experience. One of the most common use cases occurs when resources make use of OAuth to provide a simple and flexible way to authorize clients in order to access protected resources. But different OAuth implementations normally use distinct types of authorization grant and access tokens. This heterogeneity can be tackled by leveraging on WS-Trust, which is especially intended to offer integration mechanisms among services that implement WS-∗ specifications. By integrating these mechanisms it is possible to reduce the complexity supported by the OAuth Authorization Server (AS), so easing the interoperability through the delegation of the issuance and validation processes. This work also proposes a solution to cover the needs of WS-Trust clients which intend to use OAuth resources.
With SOAP-based web services leaving the stadium of being an explorative set of new technologies and entering the stage of mature and fundamental building blocks for service-driven business ...processes-and in some cases even for mission-critical systems-the demand for nonfunctional requirements including efficiency as well as security and dependability commonly increases rapidly. Although web services are capable of coupling heterogeneous information systems in a flexible and cost-efficient way, the processing efficiency and robustness against certain attacks do not fulfill industry-strength requirements. In this paper, a comprehensive stream-based WS-Security processing system is introduced, which enables a more efficient processing in service computing and increases the robustness against different types of Denial-of-Service (DoS) attacks. The introduced engine is capable of processing all standard-conforming applications of WS-Security in a streaming manner. It can handle, e.g., any order, number, and nesting degree of signature and encryption operations, closing the gap toward more efficient and dependable web services.
Enterprise apps on mobile devices typically need to communicate with other system components by consuming web services. Since most of the current mobile device platforms (such as Android) do not ...provide built-in features for consuming SOAP services, extensions have to be designed. Additionally in order to accommodate the typical enhanced security requirements of enterprise apps, it is important to be able to deal with SOAP web service security extensions on client side. In this article we show that neither the built-in SOAP capabilities for Android web service clients are sufficient for enterprise apps nor are the necessary security features supported by the platform as is. After discussing different existing extensions making Android devices SOAP capable we explain why none of them is really satisfactory in an enterprise context. Then we present our own solution which accommodates not only SOAP but also the WS-Security features on top of SOAP. Our solution heavily relies on code generation in order to keep the flexibility benefits of SOAP on one hand while still keeping the development effort manageable for software development. Our approach provides a good foundation for the implementation of other SOAP extensions apart from security on the Android platform as well. In addition our solution based on the gSOAP framework may be used for other mobile platforms in a similar manner.
Web services (WS) are the modern response of traders and online service providers to satisfying the increasing needs and demands of the digital communities. WS formation and operation is based on a ...software system designed to support interoperable machine-to-machine interaction over a network. Security is of paramount importance to WS and the ability to measure and evaluate the level of security available is key to establishing and continuing to develop the level of trust based on reputation developed by the provider of the WS. The greatest challenge in offering secure WS is to groups of people where the level of expertise of the user is low and the need for transparency of the service provision quite high, such as the case with services offered primarily to people in rural areas. Providers of such services face many challenges in balancing the requirements for performance, interoperability, and security against the cost of implementing secure systems and running profitable operations through low income generating WS. A review of services offered, of the users and the challenges in building online trust among providers and users are discussed for the case of rural areas in the United Kingdom.
Due to its distributed and open nature, Web Services give rise to new security challenges. This technology is susceptible to Cross-site Scripting (XSS) attack, which takes advantage of existing ...vulnerabilities. The proposed approach makes use of two Security Testing techniques, namely Penetration Testing and Fault Injection, in order to emulate XSS attack against Web Services. This technology, combined with WS-Security (WSS) and Security Tokens, can identify the sender and guarantee the legitimate access control to the SOAP messages exchanged. We use the vulnerability scanner soapUI that is one of the most recognized tools of Penetration Testing. In contrast, WSInject is a new fault injection tool, which introduces faults or errors on Web Services to analyze the behavior in an environment not robust. The results show that the use of WSInject, in comparison to soapUI, improves the detection of vulnerability allows to emulate XSS attack and generates new types of them.