Skip to main content
SpringerLink
Log in

Experience Report: Design and Implementation of a Component-Based Protection Architecture for ASP.NET Web Services

  • Conference paper
Component-Based Software Engineering (CBSE 2005)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 3489))

Included in the following conference series:

Abstract

This report reflects, from a software engineering perspective, on the experience of designing and implementing protection mechanisms for ASP.NET Web services. The limitations of Microsoft ASP.NET container security mechanisms render them inadequate for hosting enterprise-scale applications that have to be protected according to diverse and/or complex application-specific security policies. In this paper we report on our experience of designing and implementing a component-based architecture for protecting enterprise-grade Web service applications hosted by ASP.NET. Due to its flexibility and extensibility, this architecture enables the integration of ASP.NET into the organizational security infrastructure with less effort by Web service developers. The architecture has been implemented in a real-world security solution. This paper also contributes a best practice on constructing flexible and extensible authentication and authorization logic for Web services by using Resource Access Decision and Attribute Function (AF) architectural styles. Furthermore, the lessons learned from our design and implementation experiences are discussed throughout the paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Barkley, J., Beznosov, K., Uppal, J.: Supporting Relationships in Access Control Using Role Based Access Control. In: Proceedings of the Fourth ACM Role-based Access Control Workshop, Fairfax, Virginia, USA, pp. 55–65 (1999)

    Google Scholar 

  2. Beznosov, K.: Object Security Attributes: Enabling Application-specific Access Control in Middleware. In: 4th International Symposium on Distributed Objects & Applications (DOA), Irvine, California, USA, pp. 693–710. Springer, Heidelberg (2002)

    Google Scholar 

  3. Beznosov, K.: Overview of .NET Web Services Security. Presented at Distributed Object Computing Security Workshop, Baltimore, MD, USA (2002)

    Google Scholar 

  4. Beznosov, K., Deng, Y., Blakley, B., Burt, C., Barkley, J.: A Resource Access Decision Service for CORBA-based Distributed Systems. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), Phoenix, Arizona, USA, pp. 310–319 (1999)

    Google Scholar 

  5. Beznosov, K., Espinal, L., Deng, Y.: Performance Considerations for CORBA-based Application Authorization Service. In: Proceedings of the Fourth IASTED International Conference Software Engineering and Applications, Las Vegas, Nevada, USA (2000)

    Google Scholar 

  6. Blakley, B.: CORBA Security: an Introduction to Safe Computing with Objects. Addison-Wesley, Reading (1999)

    Google Scholar 

  7. Entrust. getAccess Design and Administration Guide, Encommerce, p. 182 (1999)

    Google Scholar 

  8. Hartman, B., Flinn, D.J., Beznosov, K., Kawamoto, S.: Mastering Web Services Security. John Wiley & Sons, New York (2003)

    Google Scholar 

  9. Karjoth, G.: The Authorization Service of Tivoli Policy Director. In: Proceedings ACSAC, New Orleans, Louisiana, pp. 319–328 (2001)

    Google Scholar 

  10. Microsoft. Altering the SOAP Message Using SOAP Extensions (2002)

    Google Scholar 

  11. Microsoft Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication. Microsoft Press, Redmond (2002)

    Google Scholar 

  12. Microsoft. Microsoft .NET Passport (2001)

    Google Scholar 

  13. Microsoft. Securing XML Web Services Created Using ASP.NET. In: .NET Framework Developer’s Guide (2001)

    Google Scholar 

  14. Netegrity. SiteMinder Concepts Guide, Waltham, MA, p. 78 (2000)

    Google Scholar 

  15. OASIS. Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) (2004)

    Google Scholar 

  16. OMG. CORBAservices: Security Service Specification v1.7, formal/01-03-08 (2001)

    Google Scholar 

  17. OMG. Resource Access Decision Facility, formal/2001-04-01 (2001)

    Google Scholar 

  18. OMG. Security Domain Membership Management Service, Final Submission (2001)

    Google Scholar 

  19. Parnas, D.L.: Designing Software for Ease of Extension and Contraction. IEEE Transactions on Software Engineering SE-5(2), 128–137 (1979)

    Article  Google Scholar 

  20. Sandhu, R., et al.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)

    Google Scholar 

  21. W3C. SOAP Version 1.2 Part 1: Messaging Framework, W3C (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Laboratory for Education and Research in Secure Systems Engineering, University of British Columbia,  

    Konstantin Beznosov

Authors
  1. Konstantin Beznosov
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Worcester Polytechnic Institute, 100 Institute Road, 01609, Worcester, MA, USA

    George T. Heineman

  2. School of Innovation, Design and Engineering, Mälardalen University, Västerås, Sweden

    Ivica Crnkovic

  3. Centre for Distributed Systems and Software Engineering, Monash University, Melbourne, Australia

    Heinz W. Schmidt

  4. Tufts University, Computer Science, Boston, 161 College Avenue, 02155, Medford, MA, USA

    Judith A. Stafford

  5. Microsoft, USA

    Clemens Szyperski

  6. Software Engineering Institute,  

    Kurt Wallnau

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Beznosov, K. (2005). Experience Report: Design and Implementation of a Component-Based Protection Architecture for ASP.NET Web Services. In: Heineman, G.T., Crnkovic, I., Schmidt, H.W., Stafford, J.A., Szyperski, C., Wallnau, K. (eds) Component-Based Software Engineering. CBSE 2005. Lecture Notes in Computer Science, vol 3489. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11424529_23

Download citation

  • DOI: https://doi.org/10.1007/11424529_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-25877-3

  • Online ISBN: 978-3-540-32049-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation