基于WSE3.0的Web服务安全性研究及其在数字化校园平台中的实现
|
摘要
Web服务技术凭借其松散耦合性、平台无关性和语言无关性,被广泛应用于数字化校园建设当中,很好地解决了校园异构系统之间的数据集成的问题。虽然基于Web服务的校园数据集成系统运行于较为安全的局域网内,但从发展的眼光去看,学校的信息化建设绝不仅仅局限于校园网内,那么Web服务潜在的安全问题是不容忽视的。此外, Web服务在电子商务,电子政务等领域中也广泛应用起来, Web服务将推广至Internet环境中,应用边界不断加大,其安全问题会日益突出,将制约着自身的发展,因此,提供可信的Web服务成为了Web服务应用推广的关键。
传统的Web服务安全解决方案依赖于传输层安全保障的SSL/TLS方案,SSL/TLS是基于HTTP协议的安全保护方案,技术比较成熟,但是它本身也存在许多局限性,性能低下,不能实现端到端消息级别的安全保障。目前的主流解决方案的思路是利用SOAP的可扩展性,在SOAP头部Header添加身份认证和授权元素,并整合已成熟的安全技术(如XML Signature,XML Encryption、PKI、X.509)对SOAP消息进行签名加密,以满足身份认证、完整性、机密性保护等安全需求。使用SOAP扩展的方法缺乏统一的标准,不利于系统间的兼容。因此,各大计算机组织都致力研究制定出相关标准和规范,WS-Security及以其为基础的WS-*规范就是其中的重要成果,也推出了相应的技术支持产品,其中微软的WSE3.0就是在Web服务安全开发上极具优势的产品之一。许多学者和研究人员提出了以WSE3.0的策略框架为基础的安全解决方案并尝试将其应用到实际环境中。但是目前的这些安全解决方案尚处于低级阶段,没有突破WSE3.0框架的约束,对不同Web服务的安全保护缺乏灵活性,不适用于更复杂的Web服务应用环境。为此,本文在分析现有的基于WSE3.0的Web服务安全解决规范的不足的基础上,设计出一种选择性签名加密方案,并将该方案与WSE3.0框架结合,提出了一种新的基于WSE3.0策略的扩展模型,该模型不同于以往那些依赖于Web服务方法的安全解决方案,通过建立通用的SOAP消息安全保护模型,减少了开发及维护的工作量,以服务级别RBAC授权访问控制及元素级别的SOAP消息选择性签名加密为模型设计的亮点,实现了数字化校园环境中客户端和服务端的双向安全保障。
本文的主要工作如下:
1.充分利用了WSE3.0的可扩展性及策略与策略实现机制的相互独立性,结合使用独立于Web服务方法的外部文件描述签名加密需求,实现了对SOAP消息体的局部签名加密和多点合作环境下的SOAP安全保障。
2.把基于角色访问控制应用到Web服务的授权访问上,结合原有的客户系统,以Web服务方式建立了角色访问控制模型,实现了Web服务方法级别的访问控制,细化了访问控制的粒度。
3.构建了基于Windows 2003 Server的校园CA,以用户申请,CA颁发的方式提供SOAP消息签名加密的证书,通过较成熟的SSL技术保证了证书的安全传递,也减轻了证书生成分发的工作量。
4.深入研究了WSE3.0的签名加密原理及其签名加密结果的表示形式,通过URI定位签名对象及加密值的方法,减少了数据的冗余,提高了消息传输率。
本文基于WSE3.0策略扩展的Web服务安全解决方案已经应用到广西师范大学学分制收费管理信息系统的建设中,较好地解决了Web服务身份认证、访问控制及消息的签名加密问题。实践证明,该方案具有较高的安全执行效率,较好的安全性、可维护性及扩展性,具有一定应用参考价值。
Web Service technology is widely used in the project of constructing Digital Campus with its loosely coupled, platform-independent and language-independent. It’s a good solution to the problem of campus data integration between heterogeneous systems. The campus data integration system based on Web services is running on the LAN with less security problem, but considering the perspective of development, information construction of school won’t just be confined to the campus network, so the Web Service is a potential security problem that can not be ignored. Web Service is also widely used in E-commerce and E-government areas; moreover, it will be extended to the Internet Environment, which increases the application of the border. The security issues will become increasingly prominent, which will be the restriction of the development of Web Service. Therefore, providing credible Web Services has become the key to the promotion of Web Services application.
Traditional Web Services security solutions depend on the transport layer security protection of SSL/TLS program. SSL/TLS is a security protection program based on the HTTP protocol with more mature technology, but it also has its limitations, for example, the performance of low, no end-to-end message level security. The mainstream of the current solution is to use the scalability of SOAP, adding elements of identity authentication and authorization to the SOAP Header, and integrating the sophisticated security technology (such as XML Signature, XML Encryption, PKI, X. 509) of signing and encrypting the SOAP message to meet the needs of authentication, integrity, confidentiality, protection of security needs. But such method is lack of unified standards and unconducive to the compatibility between systems. Therefore, the major computer organizations are committed to study and formulate the relevant standards and specifications. The production of WS-Security and other specifications based on WS-* is one of the important achievements. The organizations also give the technical support of the corresponding products. Microsoft’s WSE3.0 is one of the strong competitive products and has advantage on providing methods of Web Services Security development. Many scholars and researchers have given security solutions based on WSE3.0 policy framework and try to apply them to the actual environment. However, researches on these security solutions are still in the low-level stage, have no breakthrough in the framework of WSE3.0 and lack of flexibility to protect the different Web services security. They are not suitable for more complex Web Service applications. In this paper, the shorts of those existed security solutions based on the WSE3.0 is analyzed, a scheme of selective signature and encryption is designed, combining with the WSE3.0 framework, a new model based on expansion strategy of WSE3.0 is provided. It’s different from those solutions that rely on different Web Service methods, setting up a common security model for SOAP message, reducing the workload of the development. The bright spots of the model are Service-level Web Service access control based on RBAC and the design of element-level protection to the SOAP Message with optional signature and encryption. The design achieves the goal of providing both service and client security in the digital campus environment.
The main task of this paper is as follows:
1. Taking full advantage of the scalability of WSE3.0 and independence of strategy implementation and strategy mechanism, combining with the use of an external file independent of Web services methods to describe the encryption and signature demands, giving implementation of part of SOAP Encryption and Signature to the SOAP body of the message and SOAP security protection in multi-point cooperation environment.
2. The application of role-based access control to Web Service on the authorized access, combined with existed security protection of client. We set up a role-based access control model based on Web services. It achieves the goal of the method-level access control and with details particle size.
3. Building a Windows 2003 Server-based campus CA to provide certificate for SOAP message signed and encrypted in the form of user applying for and CA presenting. Using SSL to ensure the security of certificates transmission, CA can reduce the workload of certificate generation and distribution.
4. The principles of the Signature and Signature encryption using WSE3.0 are deeply studied; the results of forms of signature and encryption are analyzed. Positioning Signature object and encryption values by using URI attribute, the method achieves the goal of reducing data redundancy and improves the message transfer rate. The Web Services security solutions have been applied to students Fee information system which is based on credit system of Guangxi Normal University, solved the Web Service security issue of identity authentication, access control and message signature and encryption. Practice has proved that the program has higher efficiency in the implementation of the security, good security, maintainability and scalability. The application must have a reference value.
传统的Web服务安全解决方案依赖于传输层安全保障的SSL/TLS方案,SSL/TLS是基于HTTP协议的安全保护方案,技术比较成熟,但是它本身也存在许多局限性,性能低下,不能实现端到端消息级别的安全保障。目前的主流解决方案的思路是利用SOAP的可扩展性,在SOAP头部Header添加身份认证和授权元素,并整合已成熟的安全技术(如XML Signature,XML Encryption、PKI、X.509)对SOAP消息进行签名加密,以满足身份认证、完整性、机密性保护等安全需求。使用SOAP扩展的方法缺乏统一的标准,不利于系统间的兼容。因此,各大计算机组织都致力研究制定出相关标准和规范,WS-Security及以其为基础的WS-*规范就是其中的重要成果,也推出了相应的技术支持产品,其中微软的WSE3.0就是在Web服务安全开发上极具优势的产品之一。许多学者和研究人员提出了以WSE3.0的策略框架为基础的安全解决方案并尝试将其应用到实际环境中。但是目前的这些安全解决方案尚处于低级阶段,没有突破WSE3.0框架的约束,对不同Web服务的安全保护缺乏灵活性,不适用于更复杂的Web服务应用环境。为此,本文在分析现有的基于WSE3.0的Web服务安全解决规范的不足的基础上,设计出一种选择性签名加密方案,并将该方案与WSE3.0框架结合,提出了一种新的基于WSE3.0策略的扩展模型,该模型不同于以往那些依赖于Web服务方法的安全解决方案,通过建立通用的SOAP消息安全保护模型,减少了开发及维护的工作量,以服务级别RBAC授权访问控制及元素级别的SOAP消息选择性签名加密为模型设计的亮点,实现了数字化校园环境中客户端和服务端的双向安全保障。
本文的主要工作如下:
1.充分利用了WSE3.0的可扩展性及策略与策略实现机制的相互独立性,结合使用独立于Web服务方法的外部文件描述签名加密需求,实现了对SOAP消息体的局部签名加密和多点合作环境下的SOAP安全保障。
2.把基于角色访问控制应用到Web服务的授权访问上,结合原有的客户系统,以Web服务方式建立了角色访问控制模型,实现了Web服务方法级别的访问控制,细化了访问控制的粒度。
3.构建了基于Windows 2003 Server的校园CA,以用户申请,CA颁发的方式提供SOAP消息签名加密的证书,通过较成熟的SSL技术保证了证书的安全传递,也减轻了证书生成分发的工作量。
4.深入研究了WSE3.0的签名加密原理及其签名加密结果的表示形式,通过URI定位签名对象及加密值的方法,减少了数据的冗余,提高了消息传输率。
本文基于WSE3.0策略扩展的Web服务安全解决方案已经应用到广西师范大学学分制收费管理信息系统的建设中,较好地解决了Web服务身份认证、访问控制及消息的签名加密问题。实践证明,该方案具有较高的安全执行效率,较好的安全性、可维护性及扩展性,具有一定应用参考价值。
Web Service technology is widely used in the project of constructing Digital Campus with its loosely coupled, platform-independent and language-independent. It’s a good solution to the problem of campus data integration between heterogeneous systems. The campus data integration system based on Web services is running on the LAN with less security problem, but considering the perspective of development, information construction of school won’t just be confined to the campus network, so the Web Service is a potential security problem that can not be ignored. Web Service is also widely used in E-commerce and E-government areas; moreover, it will be extended to the Internet Environment, which increases the application of the border. The security issues will become increasingly prominent, which will be the restriction of the development of Web Service. Therefore, providing credible Web Services has become the key to the promotion of Web Services application.
Traditional Web Services security solutions depend on the transport layer security protection of SSL/TLS program. SSL/TLS is a security protection program based on the HTTP protocol with more mature technology, but it also has its limitations, for example, the performance of low, no end-to-end message level security. The mainstream of the current solution is to use the scalability of SOAP, adding elements of identity authentication and authorization to the SOAP Header, and integrating the sophisticated security technology (such as XML Signature, XML Encryption, PKI, X. 509) of signing and encrypting the SOAP message to meet the needs of authentication, integrity, confidentiality, protection of security needs. But such method is lack of unified standards and unconducive to the compatibility between systems. Therefore, the major computer organizations are committed to study and formulate the relevant standards and specifications. The production of WS-Security and other specifications based on WS-* is one of the important achievements. The organizations also give the technical support of the corresponding products. Microsoft’s WSE3.0 is one of the strong competitive products and has advantage on providing methods of Web Services Security development. Many scholars and researchers have given security solutions based on WSE3.0 policy framework and try to apply them to the actual environment. However, researches on these security solutions are still in the low-level stage, have no breakthrough in the framework of WSE3.0 and lack of flexibility to protect the different Web services security. They are not suitable for more complex Web Service applications. In this paper, the shorts of those existed security solutions based on the WSE3.0 is analyzed, a scheme of selective signature and encryption is designed, combining with the WSE3.0 framework, a new model based on expansion strategy of WSE3.0 is provided. It’s different from those solutions that rely on different Web Service methods, setting up a common security model for SOAP message, reducing the workload of the development. The bright spots of the model are Service-level Web Service access control based on RBAC and the design of element-level protection to the SOAP Message with optional signature and encryption. The design achieves the goal of providing both service and client security in the digital campus environment.
The main task of this paper is as follows:
1. Taking full advantage of the scalability of WSE3.0 and independence of strategy implementation and strategy mechanism, combining with the use of an external file independent of Web services methods to describe the encryption and signature demands, giving implementation of part of SOAP Encryption and Signature to the SOAP body of the message and SOAP security protection in multi-point cooperation environment.
2. The application of role-based access control to Web Service on the authorized access, combined with existed security protection of client. We set up a role-based access control model based on Web services. It achieves the goal of the method-level access control and with details particle size.
3. Building a Windows 2003 Server-based campus CA to provide certificate for SOAP message signed and encrypted in the form of user applying for and CA presenting. Using SSL to ensure the security of certificates transmission, CA can reduce the workload of certificate generation and distribution.
4. The principles of the Signature and Signature encryption using WSE3.0 are deeply studied; the results of forms of signature and encryption are analyzed. Positioning Signature object and encryption values by using URI attribute, the method achieves the goal of reducing data redundancy and improves the message transfer rate. The Web Services security solutions have been applied to students Fee information system which is based on credit system of Guangxi Normal University, solved the Web Service security issue of identity authentication, access control and message signature and encryption. Practice has proved that the program has higher efficiency in the implementation of the security, good security, maintainability and scalability. The application must have a reference value.
引文
[1]李培峰,朱巧明.基于web服务的校园信息化平台的设计与实现[J].计算机工程与设计,2006(10).
[2]何勇,陈世平.基于的校园数据共享的设计与实现[J].计算机应用与软件,2005,(10):64-661
[3]张学旺,汪林林,马中峰.数字化校园综合应用软件平台的关键技术[J].计算机工程,Vol.33,NO.23
[4]陆鑫,周明天.数字化校园统一应用支撑平台系统研究与设计J].计算机应用研究,2007,24(12):279-281
[5]杨耿.基于WebServices的校园数字化建设及相关技术的研究[D].湖北:武汉理工大学,2005
[6] XML Encryption Syntax and Processing , W3C Recommendation , [EB/OL]. http:/www.w3.org/TR/xmlenc-core/. 2002-12-10
[7] XML Signature Syntax and Processing , W3C Recommendation[EB/OL]. http://www.w3.org/TR/xmldsig-core/. 2002-02-12.
[8]虞歌.XML加密及其在电子公文中的应用[J].计算机工程与设计,2007,28(4):935-938
[9]蔡琴.XML加密特点及粒度选择[J].新疆师范大学学报(自然科学版),2006,25(3):81-84
[10]乔加新.一种改进的XML签名技术的研究及其实现[J.计算机技术与发展,2007,17(11):131-134
[11]曹颖,郁滨.加密XML文档的一种新策略[J].计算机工程,2006,5(32):161-163,194
[12]孟军,盛雨,刘洪波.基于.NET的SOAP加密方法研究与实现[J].计算机科学,2005,8(32):52-54
[13]孙丁丁.通过SOAP扩展优化Web服务性能的研究[D].新疆:新疆大学,2007
[14]WS-Security[S] . http://www-900.ibm.com/developerworks/cn/webservices/ws-spec/index.html
[15]Web Services Enhancements 3.0 for Microsoft .NET http://msdn.microsoft.com/webservices/building/wse/default.aspx [16 ]付永军.基于WSE3.0的Web服务安全的应用研究[D].重庆:西南交通大学,2007
[17]金键,张鸿,梁嘉华,钱华林.SOAP协议安全性的研究与应用[J].计算机工程,2008,5(34):142-144
[18]傅海英,李晖,王育民. XML及相关安全研究进展[J].计算机应用研究,2004(2):86-88
[19]柳翠寅,刘霞. XML签名技术的研究与应用[J].计算机应用与软件,2007,24(4):36-37,77
[20] Bret Hartman[美」等著.全面掌握Web服务安全性[M].杨硕译.北京:清华大学出版社,2004.6
[21] WS-SecureConversation [EB/OL].http://www.microsoft.com/china/msdn/liberary/webservices/WebServicesSecureConversationLanguage.mspx
[22] WS—SecurityPoIicy http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf
[23]WS-Trust1.3[S].http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
[24]WS-Federation http://www.microsoft.com/china/MSDN/library/WebServices/WebServices/WS-Federation.mspx
[25] WS-Addressing[S].http://www.w3.org/2002/ws/addr/
[26]WSE3.0构建Web服务安全(1) : WSE3.0安全机制与实例开发http://tech.ddvip.com/2009-02/1235813107110030.html
[27]汤卫东,周永权.Web服务消息级安全模型的设计及评价[J].计算机工程与设计, 2006,27(10):1873-1875
[28]崔晓玲,李磊,魏峻.一种新型SOAP消息附件安全保障模型[J].计算机科学,2007,34(4):243-248
[29]刘志都,贾松浩,詹仕华. SOAP协议安全性的研究与应用[J].计算机工程,2008,34(5):142-144
[30]梁英,沈传慧,韩燕波.一种支持可信Web服务的应用框架[J].计算机科学,2004,31(4):4-7
[31]王领军.基于SOAP的Web服务安全通信研究[D].山东:山东师范大学,2007
[32]J2EE、.Net激烈对战争夺Web服务软件市场http://news.csdn.net/n/20030211/9456.html
[33]石勇.Web服务安全问题及对策分析[D].北京:北京师范大学,2008
[34]石伟鹏,杨小虎.基于SOAP协议的Web Services安全基础规范(WS-Security)[J].计算机应用研究,2003 (2):100-102,105
[35]曾昭毅,张南平,钟珞.利用SOAP标头实现Web Service自定义安全机制[J].武汉理工大学学报(信息与管理工程版),2004,26(1)
[36]黄贵平.定制SOAP协议实现用户身份验证[J].计算机系统应用,2007(3):101-104
[37]李慧盈,张长海,李德昌.基于SOAP协议的Web Services安全性扩展实现[J].计算机应用研究,2006(1):106-107
[38]陈建梁,袁南儿.用XML签名及SOAP信息头实现安全Web服务[J].计算机工程与设计,2004,25(9):1510-1512,1516
[39]王新房,朱养鹏,邓亚玲.使用Soap扩展的XMLWeb服务[J].计算机工程,2005,31(7):138-140
[40]黄龙.基于Web服务的旅游信息交换平台的研究[D].上海:上海交通大学,2007
[41] Thelin J, Murray PJ. A public Web services security framework based on current and future usage scenarios. In: Arabnia H, eds.Proc. of the Int'l Conf. on Internet Computing (IC2002). Las Vegas: CSREA Press, 2001. 825~833.
[42]谢明明.XMLWeb服务的安全模型的应用研究[D].上海:华东师范大学,2007
[43]WS-Security:增强Web服务安全性的新技术
[44]吴永丰.基于.NET平台Web服务安全性的研究与实现[D].广西:广西大学,2006
[45]金静梅.SOAP消息传递安全性技术研究与SOAP加密的实现[D].江苏:苏州大学,2005
[46] Bhatti, R.Bertino, E.Ghafoor, A.Joshi, J.B.D. Purdue Univ., West Lafayette, IN, USA.XML-based specification for Web services document security[J].Computer, April 2004,Volume: 37,Issue: 4:(41- 49) [ 47]顾宁,刘家茂,柴晓路等著.Web Services原理与研发实践[M].北京:机械工业出版社,2006. 1 [48 ]柴晓路,梁宇奇著.Web Services技术、架构和应用[M].北京:电子工业出版社,2003. 6
[49]徐茂智,游林编著.信息安全与密码学[M]:北京:清华大学出版社,2007.1
[50] Tsur S. Are Web services the next revolution in E-Commerce In: Apers P, ed. Proc. of the 27th Int'l Conf. on Very Large Data Bases. Roma: Morgan Kaufmann Publishers, 2001. 614-617
[51] Boyens C, Gunther O. Trust is not enough: Privacy and security in ASP and Web service environments. In: Manolopoulos Y, et al.,eds. Proc. Of the 6th East European Conf. On Advances in Databases and Information Systems. Bratislava: Springer-Verlag, 2002.8
[52]谢凡.基于安全令牌的Web服务安全研究[D].北京:中国地质大学,2007
[2]何勇,陈世平.基于的校园数据共享的设计与实现[J].计算机应用与软件,2005,(10):64-661
[3]张学旺,汪林林,马中峰.数字化校园综合应用软件平台的关键技术[J].计算机工程,Vol.33,NO.23
[4]陆鑫,周明天.数字化校园统一应用支撑平台系统研究与设计J].计算机应用研究,2007,24(12):279-281
[5]杨耿.基于WebServices的校园数字化建设及相关技术的研究[D].湖北:武汉理工大学,2005
[6] XML Encryption Syntax and Processing , W3C Recommendation , [EB/OL]. http:/www.w3.org/TR/xmlenc-core/. 2002-12-10
[7] XML Signature Syntax and Processing , W3C Recommendation[EB/OL]. http://www.w3.org/TR/xmldsig-core/. 2002-02-12.
[8]虞歌.XML加密及其在电子公文中的应用[J].计算机工程与设计,2007,28(4):935-938
[9]蔡琴.XML加密特点及粒度选择[J].新疆师范大学学报(自然科学版),2006,25(3):81-84
[10]乔加新.一种改进的XML签名技术的研究及其实现[J.计算机技术与发展,2007,17(11):131-134
[11]曹颖,郁滨.加密XML文档的一种新策略[J].计算机工程,2006,5(32):161-163,194
[12]孟军,盛雨,刘洪波.基于.NET的SOAP加密方法研究与实现[J].计算机科学,2005,8(32):52-54
[13]孙丁丁.通过SOAP扩展优化Web服务性能的研究[D].新疆:新疆大学,2007
[14]WS-Security[S] . http://www-900.ibm.com/developerworks/cn/webservices/ws-spec/index.html
[15]Web Services Enhancements 3.0 for Microsoft .NET http://msdn.microsoft.com/webservices/building/wse/default.aspx [16 ]付永军.基于WSE3.0的Web服务安全的应用研究[D].重庆:西南交通大学,2007
[17]金键,张鸿,梁嘉华,钱华林.SOAP协议安全性的研究与应用[J].计算机工程,2008,5(34):142-144
[18]傅海英,李晖,王育民. XML及相关安全研究进展[J].计算机应用研究,2004(2):86-88
[19]柳翠寅,刘霞. XML签名技术的研究与应用[J].计算机应用与软件,2007,24(4):36-37,77
[20] Bret Hartman[美」等著.全面掌握Web服务安全性[M].杨硕译.北京:清华大学出版社,2004.6
[21] WS-SecureConversation [EB/OL].http://www.microsoft.com/china/msdn/liberary/webservices/WebServicesSecureConversationLanguage.mspx
[22] WS—SecurityPoIicy http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdf
[23]WS-Trust1.3[S].http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
[24]WS-Federation http://www.microsoft.com/china/MSDN/library/WebServices/WebServices/WS-Federation.mspx
[25] WS-Addressing[S].http://www.w3.org/2002/ws/addr/
[26]WSE3.0构建Web服务安全(1) : WSE3.0安全机制与实例开发http://tech.ddvip.com/2009-02/1235813107110030.html
[27]汤卫东,周永权.Web服务消息级安全模型的设计及评价[J].计算机工程与设计, 2006,27(10):1873-1875
[28]崔晓玲,李磊,魏峻.一种新型SOAP消息附件安全保障模型[J].计算机科学,2007,34(4):243-248
[29]刘志都,贾松浩,詹仕华. SOAP协议安全性的研究与应用[J].计算机工程,2008,34(5):142-144
[30]梁英,沈传慧,韩燕波.一种支持可信Web服务的应用框架[J].计算机科学,2004,31(4):4-7
[31]王领军.基于SOAP的Web服务安全通信研究[D].山东:山东师范大学,2007
[32]J2EE、.Net激烈对战争夺Web服务软件市场http://news.csdn.net/n/20030211/9456.html
[33]石勇.Web服务安全问题及对策分析[D].北京:北京师范大学,2008
[34]石伟鹏,杨小虎.基于SOAP协议的Web Services安全基础规范(WS-Security)[J].计算机应用研究,2003 (2):100-102,105
[35]曾昭毅,张南平,钟珞.利用SOAP标头实现Web Service自定义安全机制[J].武汉理工大学学报(信息与管理工程版),2004,26(1)
[36]黄贵平.定制SOAP协议实现用户身份验证[J].计算机系统应用,2007(3):101-104
[37]李慧盈,张长海,李德昌.基于SOAP协议的Web Services安全性扩展实现[J].计算机应用研究,2006(1):106-107
[38]陈建梁,袁南儿.用XML签名及SOAP信息头实现安全Web服务[J].计算机工程与设计,2004,25(9):1510-1512,1516
[39]王新房,朱养鹏,邓亚玲.使用Soap扩展的XMLWeb服务[J].计算机工程,2005,31(7):138-140
[40]黄龙.基于Web服务的旅游信息交换平台的研究[D].上海:上海交通大学,2007
[41] Thelin J, Murray PJ. A public Web services security framework based on current and future usage scenarios. In: Arabnia H, eds.Proc. of the Int'l Conf. on Internet Computing (IC2002). Las Vegas: CSREA Press, 2001. 825~833.
[42]谢明明.XMLWeb服务的安全模型的应用研究[D].上海:华东师范大学,2007
[43]WS-Security:增强Web服务安全性的新技术
[44]吴永丰.基于.NET平台Web服务安全性的研究与实现[D].广西:广西大学,2006
[45]金静梅.SOAP消息传递安全性技术研究与SOAP加密的实现[D].江苏:苏州大学,2005
[46] Bhatti, R.Bertino, E.Ghafoor, A.Joshi, J.B.D. Purdue Univ., West Lafayette, IN, USA.XML-based specification for Web services document security[J].Computer, April 2004,Volume: 37,Issue: 4:(41- 49) [ 47]顾宁,刘家茂,柴晓路等著.Web Services原理与研发实践[M].北京:机械工业出版社,2006. 1 [48 ]柴晓路,梁宇奇著.Web Services技术、架构和应用[M].北京:电子工业出版社,2003. 6
[49]徐茂智,游林编著.信息安全与密码学[M]:北京:清华大学出版社,2007.1
[50] Tsur S. Are Web services the next revolution in E-Commerce In: Apers P, ed. Proc. of the 27th Int'l Conf. on Very Large Data Bases. Roma: Morgan Kaufmann Publishers, 2001. 614-617
[51] Boyens C, Gunther O. Trust is not enough: Privacy and security in ASP and Web service environments. In: Manolopoulos Y, et al.,eds. Proc. Of the 6th East European Conf. On Advances in Databases and Information Systems. Bratislava: Springer-Verlag, 2002.8
[52]谢凡.基于安全令牌的Web服务安全研究[D].北京:中国地质大学,2007