Wednesday 21 February 2007

WebService Security - Problem Description

Background
We offer web based services like Web Map Service layers and Geocoders to developers and organisations. We need to associate Web Service requests to Web Host customers for billing purposes.
Web pages which use our web services (at the Web Host) will be implemented by third parties. The services should be available via a simple javascript API.

Actors
Web Service - Application or service on offer
Web Host - Actor offering application or service to end user
Browser - The End User

Statement of Problem
To provide Web Hosts a secure, online service to our Web Services, for their end user Browser applications. A Web Host must be authorized as having access to the Web Service requested.

Once authorization is established, the Browser will be allowed use of the Web Service on behalf of the Web Host. The Browser will have access to the Web Service.

Authorization must be invisible to the Browser, the authorization is between the Web Host and Web Service. This may require distinction from how the Browser interacts with the Web Service once authorized. The Browser must be informed if authorization fails.

Web Service Access levels supported is allow or deny. Tiered level of access is not addressed yet. Access of data and services will be determined by the web service.

2 comments:

Cameron Shorter said...

We have started work on this project and have called it AJAX Trust. See http://tools.assembla.com/ajaxtrust.

Cameron Shorter said...

A prototype version of AJAX Trust is complete. Contact us if you want more information. http://cameron.shorter.net