This Article 
 Bibliographic References 
 Add to: 
Server-Side Streaming Processing of WS-Security
October-December 2011 (vol. 4 no. 4)
pp. 272-285
Nils Gruschka, NEC Europe Ltd., Heidelberg
Meiko Jensen, Ruhr University Bochum, Germany
Luigi Lo Iacono, European University of Applied Sciences, Brühl,
Norbert Luttenberger, University of Kiel, Kiel
With SOAP-based web services leaving the stadium of being an explorative set of new technologies and entering the stage of mature and fundamental building blocks for service-driven business processes—and in some cases even for mission-critical systems—the demand for nonfunctional requirements including efficiency as well as security and dependability commonly increases rapidly. Although web services are capable of coupling heterogeneous information systems in a flexible and cost-efficient way, the processing efficiency and robustness against certain attacks do not fulfill industry-strength requirements. In this paper, a comprehensive stream-based WS-Security processing system is introduced, which enables a more efficient processing in service computing and increases the robustness against different types of Denial-of-Service (DoS) attacks. The introduced engine is capable of processing all standard-conforming applications of WS-Security in a streaming manner. It can handle, e.g., any order, number, and nesting degree of signature and encryption operations, closing the gap toward more efficient and dependable web services.

[1] T. Erl, Service-Oriented Architecture: Concepts, Technology, and Design. Prentice Hall, 2005.
[2] G. Alonso, F. Casati, H. Konu, and V. Machiraju, Web Services. Springer, 2004.
[3] M.P. Papazoglou, "Service-Oriented Computing: Concepts, Characteristics and Directions," Proc. Int'l Conf. Web Information Systems Eng., p. 3, 2003.
[4] M. Turner, D. Budgen, and P. Brereton, "Turning Software into a Service," Computer, vol. 36, no. 10, pp. 38-44, 2003.
[5] R. Buyya, C.S. Yeo, and S. Venugopal, "Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities," Proc. 10th IEEE Int'l Conf. High Performance Computing and Comm., pp. 5-13, 2008.
[6] M. Govindaraju, A. Slominski, K. Chiu, P. Liu, R. van Engelen, and M.J. Lewis, "Toward Characterizing the Performance of SOAP Toolkits," Proc. Fifth IEEE/ACM Int'l Workshop Grid Computing (GRID '04), pp. 365-372, 2004.
[7] H. Liu, S. Pallickara, and G. Fox, "Performance of Web Services Security," Proc. 13th Ann. Mardi Gras Conf., Feb. 2005.
[8] J. Kangasharju, "Efficient Implementation of XML Security for Mobile Devices," Proc. IEEE Int'l Conf. Web Services (ICWS '07), pp. 134-141, 2007.
[9] A.L. Hors, P.L. Hégaret, L. Wood, G. Nicol, J. Robie, M. Champion, and S. Byrne, Document Object Model (DOM) Level 3 Core Specification, World Wide Web Consortium (W3C) recommendation, 2004.
[10] Java Web Services Performance Team, "Streaming APIs for XML Parsers," technical report, Sun Microsystems 2005.
[11] The SAX Project, "Simple API for XML - Sax 2.0.1," http:/, 2002.
[12] R. Attapattu, "Introduction to Apache Axis2," Red Hat Magazine, vol. 21, featuresapache_axis2, 2006.
[13] M. Jensen, N. Gruschka, and R. Herkenhöner, "A Survey of Attacks on Web Services," Computer Science - Research and Development, vol. 24, no. 4, pp. 185-197, 2009.
[14] N. Gruschka and N. Luttenberger, "Protecting Web Services from DoS Attacks by SOAP Message Validation," Proc. IFIP TC-11 21st Int'l Information Security Conf. (SEC '06), pp. 171-182, 2006.
[15] N. Gruschka, M. Jensen, and N. Luttenberger, "A Stateful Web Service Firewall for BPEL," Proc. IEEE Int'l Conf. Web Services (ICWS '07), pp. 142-149, 2007.
[16] M. Jensen, N. Gruschka, and N. Luttenberger, "The Impact of Flooding Attacks on Network-Based Services," Proc. Third Int'l Conf. Availability, Reliability and Security (ARES '08), pp. 509-513, 2008.
[17] N. Gruschka, R. Herkenhöner, and N. Luttenberger, "Access Control Enforcement for Web Services by Event-Based Security Token Processing," Proc. 15th ITG/Gi Fachtagung Kommunikation in Verteilten Systemen (KiVS '07), T. Braun, G. Carle, and B. Stiller, eds., pp. 371-382, 2007.
[18] The Apache Software Foundation, "Apache Axis," http://axis.apache.orgaxis, 2011.
[19] The Apache Software Foundation, "Apache Axis2," , 2011.
[20] R. Fernando, "Secure Web Services with Apache Rampart," technical report, WSO2 Oxygen Tank, 2006.
[21] W. Lu, K. Chiu, A. Slominski, and D. Gannon, "A Streaming Validation Model for SOAP Digital Signature," Proc. 14th IEEE Int'l Symp. High Performance Distributed Computing (HPDC '05), 2005.
[22] T. Imamura, A. Clark, and H. Maruyama, "A Stream-Based Implementation of XML Encryption," Proc. ACM Workshop XML Security (XMLSEC '02), pp. 11-17, 2002.
[23] M. McIntosh, M. Gudgin, K.S. Morrison, and A. Barbir, "Basic Security Profile Version 1.0," WS-I Organisation, 2007.
[24] N. Gruschka, R. Herkenhöner, and N. Luttenberger, "WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls," Proc. IEEE/IST Workshop Monitoring, Attack Detection and Mitigation, pp. 19-25, 2006.
[25] A.O. Freier, P. Karlton, and P.C. Kocher, "The SSL Protocol," Version 3.0, Internet draft,, 1996.
[26] A. Nadalin, C. Kaler, R. Monzillo, and P. Hallam-Baker, "Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)," OASIS Standard Specification, 2006.
[27] M. Bartel, J. Boyer, B. Fox, B. LaMacchia, and E. Simon, XML-Signature Syntax and Processing, World Wide Web Consortium (W3C) recommendation, 2002.
[28] T. Imamura, B. Dillaway, and E. Simon, XML Encryption Syntax and processing, World Wide Web Consortium (W3C) recommendation, 2002.
[29] P. Grosso, E. Male, J. Marsh, and N. Walsh, XPointer Framework, World Wide Web Consortium (W3C) recommendation, 2003.
[30] N. Gruschka, "Schutz von Web Services durch erweiterte und effiziente Nachrichtenvalidierung," PhD dissertation, Univ. of Kiel, 2008.
[31] N. Gruschka, M. Jensen, and L.L. Iacono, "A Design Pattern for Event-Based Processing of Security-Enriched SOAP Messages," Proc. Second Int'l Workshop Security Aspects in Grid and Cloud Computing (SAGC '10), 2010.
[32] J.E. Hopcroft, R. Motwani, and J.D. Ullman, Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 2007.
[33] J. Boyer, D.E. Eastlake, and J. Reagle, Exclusive XML Canonicalization Version 1.0, World Wide Web Consortium (W3C) recommendation, 2002.
[34] B. Kaliski and J. Staddon, PKCS #1: RSA Cryptography Specifications Version 2.0, IETF RFC 2437, 1998.
[35] K. Lawrence and C. Kaler, "Web Services Security Policy Language (WS-SecurityPolicy) 1.2," OASIS Standard, 2007.
[36] M. Chung, "Using JConsole to Monitor Applications," SUN Developer Network, 2004.
[37] J. Somorovsky, M. Jensen, and J. Schwenk, "Streaming-Based Verification of XML Signatures in SOAP Messages," Proc. Congress on Services (SERVICES '10), 2010.
[38] L.L. Iacono and J. Wang, "Web Service Layer Security (WSLS)," Network Security, vol. 2, pp. 10-13, 2008.

Index Terms:
Web services, SOAP, WS-Security, streaming processing, DoS robustness, efficient processing.
Nils Gruschka, Meiko Jensen, Luigi Lo Iacono, Norbert Luttenberger, "Server-Side Streaming Processing of WS-Security," IEEE Transactions on Services Computing, vol. 4, no. 4, pp. 272-285, Oct.-Dec. 2011, doi:10.1109/TSC.2010.61
Usage of this product signifies your acceptance of the Terms of Use.