ABSTRACT
Security for service-oriented computing has become a critical issue. For example, consider the process of ordering a book from an agency. We go to the catalog published by the agency. e agency has to ensure that we are authorized to read the information about the books (i.e., the metadata). We place the order. e agency will then determine which part of the book we can read, if any. e
appropriate parts of the book are then released to us (the consumer). Now, this secure service can be implemented in software as follows. e customer checks the website of the agency and finds the book and places the order. e website will only display the books the customer is authorized to see. e secure order management service implemented by the agency takes the order, sends a message to the warehouse service and requests the book. e warehouse service then finds that the book is in its inventory and sends a message to the order management service. e warehouse is where they would invoke the security service and then send the appropriate parts of the book to the shipping service. e shipping service then ships the book to the customer. If the book has to be displayed electronically, then appropriate parts of the book may be displayed through the order management service. So there is a composition of secure services starting from the order management service, the warehouse service, and the shipping service. ese three services provide the customer with what he wants. All these services have to enforce appropriate security controls. In implementing the secure services, we need to enforce activation, access control, trust management, and privacy control. In addition, the documents that the customer gets must be authentic which means integrity has to be maintained.
