WS-SM: Web Services - Secured Messaging Framework with Pluggable APIs

Dynamic composition of web services is important in B2B applications where user requirements and business policies change and new services get added to the service registry frequently. In a dynamic composition environment, ensuring the security of messages communicated among the web services becomes challenging since, several attacks are possible on SOAP messages in the public network due to their standardized interfaces. Most of the existing works on web services security provide solutions to ensure basic security features such as confidentiality, integrity, authentication, authorization, and non-repudiation. Few existing works that provide solutions such as schema validation and schema hardening for attacks on web services do not provide attack-specific solutions. The web services security standard and all the existing works have addressed only the security of messages between a client and a single web service but not the security for messages between two services which is quite challenging. Hence, a security framework for secured messaging among web services has been proposed to provide attack-specific solutions. Since new types of web service attacks are evolving over time, the proposed security solutions are implemented as APIs that are pluggable in any server where the web service is deployed. The proposed framework has been tested for compliance with WSI-BP to demonstrate its interoperability and subjected to vulnerability testing which proved its immunity to attacks. The stress testing results revealed that the throughput decreased only by 35% achieving a good trade-off between performance and security.