企业架构下Web Service技术的研究
摘要
或许在未来的20年里,Web Service将会成为软件开发领域最热门的话题,随着WEB2.0的迅速普及,如何利用好Web Service这一新技术就成为一个非常重要的课题。
尽管SOA(Service Oriented Architecture)架构已经深入人心,但是针对这个领域的争论却一直没有停止过,以至于至今对于SOA都没有一个准确的定义。但毫无疑问的是,在实际的开发领域,人们已经越来越多地使用SOA概念下的新技术,当然,由此也产生了许多新的问题,安全性问题便是其中一个最为突出的方面。
本文开篇即介绍了SOA及Web Service相关技术基础。主要介绍了SOA和Web Service的概念并分析了它们之间的区别。另外,SOA的体系结构、Web Service的实现方法中所需要的技术、基于Web Service的一些基本协议和解决方案----WSDL、UDDI、SOAP以及XML-----本文也做了详细的介绍,同时也介绍了一些当前比较成熟的软件开发方法和工具对Web Service的支持。
针对Web Service的迅猛发展中遗留的安全问题,本文主要介绍了Web Service所需求的安全性的特点,实现Web Service安全性的一些基本目标和相关原则,给出了一些对现有的安全技术的讨论,也分析了一些相关的研究成果、实现方法及相关标准。
在介绍了Web Service的开发技术并且分析了众多安全体系之后,结合国内的软件开发现状,集中对Eclipse+Tomcat+Axis组合的Web Service开发方法进行了深入研究,并在此框架下设计了一个提供安全保障的Web服务模型,给出了相应的模块设计方案,加入了对Web Service的安全性支持。
最后,通过一个例子观察了在该模型下,SOAP消息在未加密前和加密后的区别,通过具体的分析,验证了该模型对Web服务安全性的提升。
Maybe in the next 20 years, Web Service will be the most popular subject in the field of software designning. With the charm of WEB 2.0, how to use this new technology will surely become a very important topic.
Though SOA (Service Oriented Architecture) is well-known, dissensions on this field has never stopped, even today there is no strict definition about SOA. But there is no doubt that in the real market of software designning, the designners are using the new technologies based on SOA more and more. Of course, with the rapid growth of it, there are still a lot of problems left.
At the beginning of this article, we will talk about the basic technologies based on SOA and Web Service. We will discuss the definitions of SOA and Web Service, also the little differernces between them. Then we will focus on these technologies that we will obviously ues in developing Web Service applications, like WSDL、UDDI、SOAP and XML. We will also talk about some well-developed techniques that support Web Service.
The problem of security of Web Sevice is greatly increasing while Web Sevice itself doing the same thing. In this article, we will discuss the characteristic of Web Sevice security problem, some basic destinations and prinsples are also included, we will make some discuss on the technologies of security which we have already made in use now, and we will also metion some solutions and standards.
After discussing the technique of Web Service development and many security system in this subject, based on the actuality of this domain, we will take the solution of developing Web Service by Eclipse+Tomcat+Axis as our key point, and design a web service module which can provide the solution of security, with the specific design of the inner modules.
Also, at the end of the article, we will give a test that simulates an attack. In this test, by comparing the differences between encrypted and unencrypted SOAP envelope, we can see how the module we provided works. It also proves the assurance of security that provided by our module.
尽管SOA(Service Oriented Architecture)架构已经深入人心,但是针对这个领域的争论却一直没有停止过,以至于至今对于SOA都没有一个准确的定义。但毫无疑问的是,在实际的开发领域,人们已经越来越多地使用SOA概念下的新技术,当然,由此也产生了许多新的问题,安全性问题便是其中一个最为突出的方面。
本文开篇即介绍了SOA及Web Service相关技术基础。主要介绍了SOA和Web Service的概念并分析了它们之间的区别。另外,SOA的体系结构、Web Service的实现方法中所需要的技术、基于Web Service的一些基本协议和解决方案----WSDL、UDDI、SOAP以及XML-----本文也做了详细的介绍,同时也介绍了一些当前比较成熟的软件开发方法和工具对Web Service的支持。
针对Web Service的迅猛发展中遗留的安全问题,本文主要介绍了Web Service所需求的安全性的特点,实现Web Service安全性的一些基本目标和相关原则,给出了一些对现有的安全技术的讨论,也分析了一些相关的研究成果、实现方法及相关标准。
在介绍了Web Service的开发技术并且分析了众多安全体系之后,结合国内的软件开发现状,集中对Eclipse+Tomcat+Axis组合的Web Service开发方法进行了深入研究,并在此框架下设计了一个提供安全保障的Web服务模型,给出了相应的模块设计方案,加入了对Web Service的安全性支持。
最后,通过一个例子观察了在该模型下,SOAP消息在未加密前和加密后的区别,通过具体的分析,验证了该模型对Web服务安全性的提升。
Maybe in the next 20 years, Web Service will be the most popular subject in the field of software designning. With the charm of WEB 2.0, how to use this new technology will surely become a very important topic.
Though SOA (Service Oriented Architecture) is well-known, dissensions on this field has never stopped, even today there is no strict definition about SOA. But there is no doubt that in the real market of software designning, the designners are using the new technologies based on SOA more and more. Of course, with the rapid growth of it, there are still a lot of problems left.
At the beginning of this article, we will talk about the basic technologies based on SOA and Web Service. We will discuss the definitions of SOA and Web Service, also the little differernces between them. Then we will focus on these technologies that we will obviously ues in developing Web Service applications, like WSDL、UDDI、SOAP and XML. We will also talk about some well-developed techniques that support Web Service.
The problem of security of Web Sevice is greatly increasing while Web Sevice itself doing the same thing. In this article, we will discuss the characteristic of Web Sevice security problem, some basic destinations and prinsples are also included, we will make some discuss on the technologies of security which we have already made in use now, and we will also metion some solutions and standards.
After discussing the technique of Web Service development and many security system in this subject, based on the actuality of this domain, we will take the solution of developing Web Service by Eclipse+Tomcat+Axis as our key point, and design a web service module which can provide the solution of security, with the specific design of the inner modules.
Also, at the end of the article, we will give a test that simulates an attack. In this test, by comparing the differences between encrypted and unencrypted SOAP envelope, we can see how the module we provided works. It also proves the assurance of security that provided by our module.
引文
1.柴晓路,梁宇奇.Web Service技术、架构和应用[M].北京:电子工业出版社,2003.
2. Ben Galbraith, Whitney Hankison.吴旭超,王黎译.Web服务安全性高级编程[M].清华大学出版社.(2002).
3. David J.N. Artus .SOA实现:服务设计原则[M/OL]http://www.ibm.com/developerworks/cn/wehservices iws-soa-design/.2006
4. W3C. Simple Object Access Protocol(SOAP)1.1. [S/OL] http://www.w3.org/CR/2000/NOTE-SOAP-20000508/. 2000-5-8.
5.张振兴.Web服务安全性的研究与实现[D].硕士学位论文.华北电力大学。2004.
6.李帆.基于.NET的Web服务安全技术的研究[D].硕士学位论文.武汉理工大学,2006.5.
7. Jack Koftikian. Simple Object Access Protocol.[M] Technical University Hamburg-Harburg, 2005.
8. Robert Englande. Java and SOAP. [M] O'Reilly, 2002-5.
9.顾宁,刘家茂,柴晓路.Web Services原理与研发实践[M].北京:机械工业出版社,2006.
10. HartwiQ Gunzer. Introduction to Web Services. Sales Engineer[M], Borland, 2002.
11. David Chappell, Tyler Jewell. Java Web Service, First Edition[M]. O'Reilly, 2002..
12.崔妍卿,杨德华.Web Services与传统Web应用[J].微计算机应用,2005.
13.马忠贵.叶斌.涂序彦.基于SOAP的软件通信模型研究[J].计算机工程,2006年第9期.
14.朱振杰.SOA的关键技术的研究与应用实现[D].成都:电子科技大学,2006
15. XML Signature Workgroup. XML Signature Syntax and Processing[S]. W3C Proposed Recommandation, 2001-8-20
16. Erik C.and Francisco C.Web Service Description Language(WSDL)1.1.W3C Note[EB/OL], March 2001.http://www.w3.org/FR/wsdl.
17. Tom Bellwood.理解UDDI [EB/OL]. http://www.ibm.corn./developerworks/cn/webservices/ws-featuddi/index.html,2006
18.王磊.基于XML的Web服务案例性研究[J].上海:华东师范大学
19.李安渝.Web Services技术与实现[M].国防工业出版社,2003,1, 287-288
20.金丽娜.将兴浩.李建华.基于属性证书的Web Services访问控制模型[J].计算机工程. 2006年第9期.
21. JEd Roman. Mastering Enterprise JavaBean. SecondEdtion[M], John Wiley& Sons, lnc, 2002.
22.郑东曦,唐韶华,黎绍发.XML Web服务安全技术纵览[J].计算机工程与应用,2004.7,38-41.
23.王斌.Web Services安全问题的研究[D].硕士学位论文.华北电力大学,2005.12.
24.吴晨,王忠民.Web Service中身份验证体系的研究与应用[J].计算机应用研究,2003,7: 8082.
25. Murdoch Mactaggart.XML加密和XML签名简介[M].2001.9.
26.王凡,李勇,朗宝平,李程旭.基于WS-Security构筑安全的SOAP消息调用[J].计算机应用,2004,2,4 :121 -123.
27.胡迎松,彭利文,池楚兵.XML Web服务的安全问题及安全技术[J].计算机应用研究,2003. 10.
28.刘涛,齐爱玲,常心坦.Web服务安全中XML加密技术的研究[J].仪器仪表学报,2006,27(6),20602061.
29.王晓玲等.Web服务组合的基于文法的消息处理[J].计算机学报,2005,29(7):1057、1066
30.袁利永,屠雄刚。基于Web Services实现身份统一认证[J]。计算机与数字工程,2005,9 ,3435
31.张艳科,汤胤,.分布式计算技术的分析与Web服务[J].IT论坛,2004,1
32. H.M.Deitel,B.DuWaldt等.Web服务实用技术教程[M].机械工业出版社2004,200-202
33. Bobby Woolf.通过服务模拟来简化SOA开发[EB/OL] . http://www.128.ibm.com/developerworks/cn/ webservices /ws-mocks/, 2006.
34.周刚,朱晴波,胡南军,陈道蓄,谢立南. Web服务解决方案分析[J].计算机工程, 2002,(06) .
35.段靖荒,林子禹,万丰. J2EE企业解决方案的平台[J].计算机应用, 2001,(S1) .
36.曹鸣鹏,赵伟,许林英. J2EE技术及其实现[J].计算机应用, 2001,(10) .
2. Ben Galbraith, Whitney Hankison.吴旭超,王黎译.Web服务安全性高级编程[M].清华大学出版社.(2002).
3. David J.N. Artus .SOA实现:服务设计原则[M/OL]http://www.ibm.com/developerworks/cn/wehservices iws-soa-design/.2006
4. W3C. Simple Object Access Protocol(SOAP)1.1. [S/OL] http://www.w3.org/CR/2000/NOTE-SOAP-20000508/. 2000-5-8.
5.张振兴.Web服务安全性的研究与实现[D].硕士学位论文.华北电力大学。2004.
6.李帆.基于.NET的Web服务安全技术的研究[D].硕士学位论文.武汉理工大学,2006.5.
7. Jack Koftikian. Simple Object Access Protocol.[M] Technical University Hamburg-Harburg, 2005.
8. Robert Englande. Java and SOAP. [M] O'Reilly, 2002-5.
9.顾宁,刘家茂,柴晓路.Web Services原理与研发实践[M].北京:机械工业出版社,2006.
10. HartwiQ Gunzer. Introduction to Web Services. Sales Engineer[M], Borland, 2002.
11. David Chappell, Tyler Jewell. Java Web Service, First Edition[M]. O'Reilly, 2002..
12.崔妍卿,杨德华.Web Services与传统Web应用[J].微计算机应用,2005.
13.马忠贵.叶斌.涂序彦.基于SOAP的软件通信模型研究[J].计算机工程,2006年第9期.
14.朱振杰.SOA的关键技术的研究与应用实现[D].成都:电子科技大学,2006
15. XML Signature Workgroup. XML Signature Syntax and Processing[S]. W3C Proposed Recommandation, 2001-8-20
16. Erik C.and Francisco C.Web Service Description Language(WSDL)1.1.W3C Note[EB/OL], March 2001.http://www.w3.org/FR/wsdl.
17. Tom Bellwood.理解UDDI [EB/OL]. http://www.ibm.corn./developerworks/cn/webservices/ws-featuddi/index.html,2006
18.王磊.基于XML的Web服务案例性研究[J].上海:华东师范大学
19.李安渝.Web Services技术与实现[M].国防工业出版社,2003,1, 287-288
20.金丽娜.将兴浩.李建华.基于属性证书的Web Services访问控制模型[J].计算机工程. 2006年第9期.
21. JEd Roman. Mastering Enterprise JavaBean. SecondEdtion[M], John Wiley& Sons, lnc, 2002.
22.郑东曦,唐韶华,黎绍发.XML Web服务安全技术纵览[J].计算机工程与应用,2004.7,38-41.
23.王斌.Web Services安全问题的研究[D].硕士学位论文.华北电力大学,2005.12.
24.吴晨,王忠民.Web Service中身份验证体系的研究与应用[J].计算机应用研究,2003,7: 8082.
25. Murdoch Mactaggart.XML加密和XML签名简介[M].2001.9.
26.王凡,李勇,朗宝平,李程旭.基于WS-Security构筑安全的SOAP消息调用[J].计算机应用,2004,2,4 :121 -123.
27.胡迎松,彭利文,池楚兵.XML Web服务的安全问题及安全技术[J].计算机应用研究,2003. 10.
28.刘涛,齐爱玲,常心坦.Web服务安全中XML加密技术的研究[J].仪器仪表学报,2006,27(6),20602061.
29.王晓玲等.Web服务组合的基于文法的消息处理[J].计算机学报,2005,29(7):1057、1066
30.袁利永,屠雄刚。基于Web Services实现身份统一认证[J]。计算机与数字工程,2005,9 ,3435
31.张艳科,汤胤,.分布式计算技术的分析与Web服务[J].IT论坛,2004,1
32. H.M.Deitel,B.DuWaldt等.Web服务实用技术教程[M].机械工业出版社2004,200-202
33. Bobby Woolf.通过服务模拟来简化SOA开发[EB/OL] . http://www.128.ibm.com/developerworks/cn/ webservices /ws-mocks/, 2006.
34.周刚,朱晴波,胡南军,陈道蓄,谢立南. Web服务解决方案分析[J].计算机工程, 2002,(06) .
35.段靖荒,林子禹,万丰. J2EE企业解决方案的平台[J].计算机应用, 2001,(S1) .
36.曹鸣鹏,赵伟,许林英. J2EE技术及其实现[J].计算机应用, 2001,(10) .