Implementation of DRA4SOA messages in Web services

Chapter 5. DRA4SOA

5.4 Implementation of DRA4SOA messages in Web services

In this section we discuss how to implement our security framework in Web services.

As mentioned in Section 5.2, a DRA4SOA message that contains calling records of invocations and responses should be transmitted between callers and callees. SOAP (Simple Object Access Protocol) is a protocol specification for exchanging structured information in the implementation of Web services [120]. An SOAP message is an ordinary XML document containing the following elements: (1) the envelope element defines the start and end of the message, (2) the header element contains any optional attributes of the message used in processing the message (e.g., WS-Security defines how to embed some elements in an SOAP header to carry security-related data), and (3) the body element contains the actual SOAP message, which usually includes information about the requested service names and required parameters.

The optional header element offers a flexible framework for specifying additional application-level requirements. It is intended to add new features and functionality, and so we embed the DRA4SOA message in the header element as shown in Figure 52.

SOAP body:

WS-Security WS-Policy SOAP header:

Data of SOAP body M(REQ₁) M(REQ₂) M(RES₂) M(RES₁)

…

DRA4SOA message:

SOAP envelope:

Figure 52.A SOAP message embedded in a DRA4SOA message

SOAP

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Header>

HeaderOfWebService[i]

DRA4SOA Message </soapenv:Header>

<soapenv:Body>

BodyOfWebService[i]

</soapenv:Body>

</soapenv:Envelope>

DRASOA Message

CallingRecord+

</dra4soa>

CallingRecord

<callingRecord id="CRID" type="(Invocation|Response)">

<caller>String</caller>

<callee>String</callee>

Content Signature

</callingRecord>

Content

<content id="ContentID">

<soapenv:Header>

HeaderOfWebService[*]

</soapenv:Header>

[<soapenv:Body>

BodyOfWebService[*]

</soapenv:Body>]

</content>

Signature

<signature id="SIG:CRID">

W3CStandardSignature

</signature >

HeaderOfWebServiceString ; BodyOfWebServiceString ; CRIDString

Figure 53. Syntax of the DRA4SOA message

Figure 53 shows the syntax of a SOAP message that contains a DRA4SOA message.

We specify syntax definitions in the Backus-Naur Form¹⁰ in this dissertation.

HeaderOfWebService[i] and BodyOfWebService[i] represent the data elements in the original header and body of the SOAP message. To support the DRA4SOA framework we add an element, DRA4SOA Message, that represents a DRA4SOA message in an SOAP header. A DRA4SOA message contains all of the calling records in the formed calling chain. A calling record is represented by CallingRecord. As mentioned in Section 5.2, the general form of a calling record is {{WS(Rj)}^ee,

10 Conventionally, a nonterminal symbol in Backus-Naur form is delimited by < and >. To prevent confusion with XML elements, nonterminal symbols are underscored in this dissertation.

[{WS(Rj)}^ee, a set of signatures]Pri(R) }¹¹. Actually, {WS(Rj)}^ee is represented by

<caller>String</caller>, <callee>String </callee>, and Content and [{WS(Rj)}^ee, a set of signatures]Pri(R), is represented by Signature. Note that the type attribute in the

<callingRecord> element specifies that it is either an invocation or a response message.

The <content> element records the header and body element in the original SOAP message. Figure 19 presents an example of this.

<soapenv:Envelope

xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

<soapenv:Header>

HeaderOfWebService[i]

</content>

Figure 54. An example of a SOAP message with the DRA4SOA message

As we have mentioned, the Signature element should represent [{WS(Rj)}^ee, a set of signatures]Pri(R). We employ the W3C XML signature standard [113] in which the signed data are specified by some <Reference> elements if multiple parts of data are signed.

The URI attribute of a <Reference> element specifies the element ID of the parts.

Referring to Figure 55, there are three <Reference> elements: the first (with attribute URI="#C:CR3") actually links to a <content> element, while the other two (with attributes URI="#SIGVAL:CR1" and URI="#SIGVAL:CR2") refer to signatures in other calling records.

<CanonicalizationMethod

<DigestValue>WW1tTQ57BuwVL7uxpfBPXLvWJUA=</DigestValue>

</Reference>

<Reference URI="#SIGVAL:CR1">

<Transform

Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>

</Transforms>

<DigestValue>4lLHYxi2rZRiDB+IRR4TcCp87kk=</DigestValue>

</Reference>

<Reference URI="#SIGVAL:CR2">

<Transform

Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>

</Transforms>

<DigestValue>HlfGGofRfvvQu2JQnrLA4fBxuLI=</DigestValue>

</Reference>

</SignedInfo>

<SignatureValue

Id="SIGVAL:CR3">wNWgyiX0gdYVGUuAvJrWvUIdZf4l+SXZNhoVFSFLo3GtD2DiaIjMhc+LUbpM4yoWmTSXNIR/1Ibq V7xvcMG0Ux5RVQKNvrV8uEvVeQNETYiN6sf36I4o8mXfQANannPSPOXqM8GCwjaqKciqax7iHsdL

uRd5PiyijZRmuD5psAs=

</SignatureValue>

<Modulus>whrjPIgsZeE4sv2DhBqtoWaXcSP4cuZUg1/AZ135kE+JHC5mswps111uwHKmajRK3I5AW2A2phP5 EU/yZjER241Ic90S72Pfx54AiRyDRJFLMgPZnHyo7DH9SX2NX0hGuwqO2Kr4AgXFsaq+S/3JW9Q4 rP/hmqMDhHHqdV/u0e8=

</Modulus>

</RSAKeyValue>

</KeyValue>

</KeyInfo>

</Signature>

Figure 55. An example of a <Signature> element

在文檔中工作流程管理系統與呼叫鍊的安全性架構 (頁 143-149)