Professional Documents
Culture Documents
• Required:
– Stuttard and Pinto: Chapter 3
• Recommended: Csilla Farkas, Michael N. Huhns:
Securing Enterprise Applications: Service-Oriented
Security (SOS). CEC/EEE 2008: 428-431.
http://www.cse.sc.edu/~farkas/publications/SOS-
cec.pdf
• Perimeter Service:
– Operates at application layer
– Work in conjunction with existing firewall
technologies
– Hide internal application details
• External customer: corresponds with the perimeter
service’s external contracts
• Internal application: response is relayed to the customer
by the perimeter service
How to handle Vulnerable
Applications?
Layered security:
1. Software-level (single service) security
2. Business-level (service composition) security
3. Network-level security
• SOA
• HTTP
• Web Functionality
• Encoding Schemes
• Service Architecture
• Service Composition Architecture
• Service Inventory Architecture
• Service-Oriented Enterprise Architecture
• Business driven
• Vendor neutral
• Enterprise centric
• Composition centric
• Complex composition?
• Changes and re-composition?
• Security design?
• Conflict between security and business goals?
• Proprietary vs. standardized development?
• XML
– XML encryption
– XML Signature
– Canonical XML
– Decryption Transformation for XML Signature
• WS-Security
• Security Assertion Markup Language (SAML)
• Request line
1. HTTP method
2. Requested URL
3. HTTP version
E.g., GET /search?q= Web+Technologies HTTP/1.1
• Header lines
– Host, Referer, Cookie, User-Agent, Connection,
etc.
• Request body
• Status line
1. HTTP version
2. Numeric status call indicating the result of the request
3. Txt reason phrase describing the status of the response
• Header lines
– Server (web server software), Pragma (for the browser),
Expires (content), Content-Type, Content-Length
• Response body
• 1xx – Informational
• 2xx – the request was successful
• 3xx – the client is redirected to a different resource
• 4xx – the request contains an error of some kinds
• 5xx – the server encountered an error fulfilling the
request
• Mapping Applications