Input Validation Framework for Web Services

Abstract

Security is an important aspect for all kinds of software development, but it is especially important for web applications since they usually are exposed to the Internet. Web Services offer application to application connectivity using the SOAP protocol. Web Services are quite often built as an extension to already existing applications to provide business to business communication. Since it is often necessary to expose critical business functions through the Web Services, e.g., ordering an item or sending an invoice, security in Web Services are vital for a company s daily operations. In this project we have created an input validation framework for Web Services, to aid developers in creating more secure Web Services in an easier and more reusable manner. We have focused on creating a lightweight policy configuration based on XML, and a set of highly configurable and extendable validators. The framework is implemented in Java and is not dependent on a specific SOAP framework. To keep the framework general and compatible with multiple SOAP frameworks, we have developed a set of interceptors to support the two most common open source SOAP frameworks, Codehaus XFire and Apache Axis2. This report first presents theory and rationale behind the need for a new way of performing input validation. Further the implementation of the framework is documented together with an example application, which demonstrates an example use of the framework.