Hai JIN, Hao DONG, Wenbin JIANG, Xiaofei LIAO, Hui XU

An improved security framework for Web service-based resources

Web service-based application has become one of the dominative ones of the Internet. This trend brings more and more security challenges in reliability, confidentiality, and data nonrepudiation, especially in some systems that have massive diversified resources. An improved framework for secure accesses of Web resources is presented and implemented by extending and enhancing the Spring Security framework. It improves the security level of systems for identity authentication, authorized access, and secure transmission. The highly safe authentication is based on the integration of an improved authentication module of Spring Security with a U-key method and a RSA algorithm. For authorized access, the Spring Security s ACL (access control list) mechanism is improved by optimizing the domain object-level access control. For secure transmission, a compromising method is presented to take both the security level and the speed of data transmission into account by means of mixing the RSA and DES algorithms. In addition, the security interceptor of Spring Security is extended and a series of security filters are added to keep Web attacks away. The above improved security framework has been applied to an online virtual experiment platform named VeePalms. The experimental results show that most security problems with high severity in the system have been solved and medium-low severe problems decreased dramatically. Moreover, VeePalms has been used in practice for about 2 years, which has proved the effectiveness of the security framework.

PDF

___

[1] Roberts-Morpeth P, Ellman J. Some security issues for Web based frameworks. In: 7th IEEE and IET International Symposium on Communication Systems Networks and Digital Signal Processing; 2123 July 2010; Newcastle upon Tyne, UK. Piscataway, NJ, USA: IEEE. pp. 726-731.
[2] Xie W, Ma H. A policy-based security model for Web system. In: 2003 International Conference on Communication Technology; 911 April 2003; Beijing, China. Beijing, China: IEEE. pp. 187-191.
[3] Peng S, Han Z. Trust of user using U-key on trusted platform. In: 8th International Conference on Signal Processing; 1620 November 2006; Beijing, China. Piscataway, NJ, USA: IEEE. pp. 3023-3026.
[4] Jiang W, Li H, Jin H, Zhang L, Peng Y. VESS: An unstructured data-oriented storage system for multi-disciplined virtual experiment platform. In: 4th International Conference on Human-Centric Computing; 1113 August 2011; Enshi, China. Heidelberg, Germany: Springer Verlag. pp. 187-198.
[5] Jiang W, Jin H, Yu J. SOA-based virtual experiment education research. Communications of the CCF 2010; 6: 64-69 (in Chinese with abstract in English).
[6] Jiang W, Zhang L, Qiang W, Jin H., Peng Y. MyStore: A high available distributed storage system for unstructured data. In: 14th IEEE International Conference on High Performance Computing and Communications; 2527 June 2012; Liverpool, UK. Los Alamitos, CA, USA: IEEE. pp. 25-27.
[7] Field JP, Graham SG, Maguire T. A framework for obligation fulfillment in REST services. In: 2nd International Workshop on RESTful Design; 28 March 2011; Hyderabad, India. New York, NY, USA: ACM. pp. 59-66.
[8] Li Z, Xi ZW. Integration with JavaEE framework to build tourism e-business system. Adv Intell Soft Comput 2012; 163: 197-204.
[9] Ma K, Fang C. A security extension framework based on SOAP header. J Inf Comput Sci 2012; 9: 5249-5256.
[10] Park EJ, Kim HK, Lee RY. Web service security model using CBD architecture. In: Fifth ACIS International Conference on Software Engineering Research, Management, and Applications; 2022 August 2007; Busan, South Korea. Piscataway, NJ, USA: IEEE. pp. 346-350.
[11] Niu Y, Wu L, Zhang X. An IPSec accelerator design for a 10Gbps in-line security network processor. J Comput 2013; 8: 319-325.
[12] Chess B, McGraw G. Static analysis for security. IEEE Secur Priv 2004; 2: 76-79.
[13] Prunicki A, Elrad T. Aclamate: An AOSD security framework for access control. In: 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing; 29 September1 October 2006; Indianapolis, IN, USA. Los Alamitos, CA, USA: IEEE. pp. 293-300.
[14] Yu D. Role and task-based access control model for web service integration. J Comput Inf Sys 2012; 8: 2681-2689.
[15] Chen Y, Guo W, Zhao X. Study of XML digital signature for resource document fragment. In: 2nd International Conference on Information Science and Engineering; 46 December 2010; Hangzhou, China. Piscataway, NJ, USA: IEEE. pp. 1541-1544.
[16] Xiao Z, Yang Y, Zhang W. XML-based information security technology study. In: 2nd International Conference on Software Technology and Engineering; 35 October 2010; San Juan, Puerto Rico. Piscataway, NJ, USA: IEEE. pp. 236-239.
[17] Nordbotten NA. XML and Web services security standards. IEEE Commun Surv Tut 2009; 11: 4-21.
[18] Garrison WC 3rd, Lee AJ, Hinrichs TL. The need for application-aware access control evaluation. In: Proceedings of the New Security Paradigms Workshop; 1821 September 2012; Bertinoro, Italy. New York, NY, USA: ACM. pp. 115-125.
[19] Sidharth N, Liu J. IAPF: A framework for enhancing web services security. In: 31st Annual International Computer Software and Applications Conference; 2327 July 2007; Beijing, China. Los Alamitos, CA, USA: IEEE. pp. 23-30.
[20] Zhu M, Yan L, Ji L. An authority control model based on RBAC. In: 2011 International Conference on Computer Science and Service System; 2729 June 2011; Nanjing, China. Piscataway, NJ, USA: IEEE. pp. 1063-1065.
[21] Oh S, Park S. Task-role-based access control model. Inform Syst 2003; 28: 533-562.
[22] Sobh TS, Amer MI. PGP modification for securing digital envelope mail using COM+ and Web services. Int J Netw Secur 2011; 13: 79-91.
[23] Tang K, Chen S, Levy D, Zic J, Yan B. A performance evaluation of Web services security. In: 10th IEEE International Enterprise Distributed Object Computing Conference; 1620 October 2006; Hong Kong. Los Alamitos, CA, USA: IEEE. pp. 67-74.