Securing instance-level interactions in Web services

Abstract

The Web service technology enables dynamic service composition, resource utilisation and application integration in a heterogeneous computing environment. Web services can be used to compose and perform flexible and complex business flows. In practice, a Web service may create multiple service instances working for different business flows or business sessions, whilst the service instances within a business session may be created by different Web services, often designed, implemented and maintained by different organisations across different security domains. This introduces new challenges to existing security systems and solutions. For many applications ensuring security only at the level of Web services is not enough for a fine-grained level of control for multi-party collaborations because interactions amongst Web services in fact happen at the level of service instances. In this paper, we address the problem of how to secure instance-level interactions in Web services, and discuss different schemes for identifying and authenticating service instances. We present an experimental system and analyse some performance results. The experimental system implements instance-level communication control and instance authentication. The experimental results demonstrate that the overhead of execution time introduced by instance authentication is proportional to the number of the session partners within a business session.