论文信息 - Static vs. Dynamic Validation of BSP Conformance

Static vs. Dynamic Validation of BSP Conformance

WS-I's Basic Security Profile (BSP) defines best practice guidelines for secure web services communications, enabling interoperability between vendors. However it is difficult for developers to know if their SOA solutions are in fact compliant to these guidelines. In this paper, we discuss methods to assess compliance against BSP. We have implemented runtime validation of SOAP messages to check for compliance against BSP, a method implied by the BSP definition itself. Additionally, we have implemented a novel approach to statically validate WS Security policies against BSP using Schematron. From our experiments dynamic validation for BSP compliance offers greater coverage but results in a significant overhead, while static validation is limited in its scope but extremely valuable since under reasonable assumptions it provides assurances about compliance prior to deployment. We conclude with a summation of our results and lessons for SOA practitioners.

[1] Nils Gruschka,et al. Protecting Web Services from DoS Attacks by SOAP Message Validation , 2006, SEC.

[2] Pierluigi Plebani,et al. Supporting policy-driven behaviors in web services: experiences and issues , 2004, ICSOC '04.

[3] Nils Gruschka,et al. Event-Based SOAP Message Validation for WS-SecurityPolicy-Enriched Web Services , 2006, SWWS.

[4] Michiaki Tatsubori,et al. Optimizing Web services performance by differential deserialization , 2005, IEEE International Conference on Web Services (ICWS'05).

[5] Yuichi Nakamura,et al. Implementation and Performance of WS-Security , 2004, Int. J. Web Serv. Res..

[6] Yuichi Nakamura,et al. Syntactic Validation of Web Services Security Policies , 2007, ICSOC.

[7] Andrew D. Gordon,et al. Validating a web service security abstraction by typing , 2002, XMLSEC '02.

[8] Phillip Hallam-Baker,et al. Web services security: soap message security , 2003 .

[9] Scott O. Bradner,et al. Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[10] Michael J. Lewis,et al. Differential Deserialization for Optimized SOAP Performance , 2005, ACM/IEEE SC 2005 Conference (SC'05).

[11] Dennis Gannon,et al. Performance comparison of security mechanisms for grid services , 2004, Fifth IEEE/ACM International Workshop on Grid Computing.

[12] Andrew D. Gordon,et al. Verifying policy-based security for web services , 2004, CCS '04.