Service-oriented architecture security

A.Y. 2020/2021
Overall hours
Learning objectives
The objective of the course is to illustrare the basic techniques for confidentiality and integrity of semi-structured and unstructured data.
On this basis, the objective of the course is to explore techniques and standards for authentication, identity management and user profile harvesting in Web services, and to survey and learn the authorization languages for access to network resources and Web services, as well as the methods for the acquisition and representation of assurance metadata, getting to know in depth the techniques and tools for assurance and service safety certification.
Expected learning outcomes
At the end of the course, the student will be able to: manage the confidentiality, integrity and digital signature controls at service interfaces; manage the authorization policies and security of Web Services; to deal with the problems related to the assurance and certification of Web Services.
Course syllabus and organization

Single session

Lesson period
Second semester
Live lessons will be streamed and recorded on Microsoft Teams following the semester schedule. Recorded lessons will be available on Microsoft Teams for asynchronous access by the students.

Program and teaching resources will be the same with no changes.

The exam will consists of the traditional written exam and the project presentation.

The written exam will be delivered on EXAM.NET + SEB + Zoom. To participate you will need two devices, one to write the exam (e.g., a laptop), and another one (e.g., a smartphone or a tablet) with a webcam and a microphone for surveillance.

The project presentation will be face to face, where possible. If not possible, the oral exam will be delivered on Microsoft Teams or, as an alternative, Zoom.

The assessment criteria will be the same with no changes.
Course syllabus
The course focuses on the following topics:

- Introduction to SOA Security
- Cryptography and digital signature on semi-structured data
- Web Service Security
- WS-Security, WS-Trust
- WS-Secure Conversation, WS-Security Policy
- Base concepts of digital identity
- Technologies for the management of digital identity
- Digital identity management platforms
- OAuth 2.0
- Open ID
- Fine-grained authorization languages
- Base concepts of the architectures for evaluation and decision
- XACML profiles for specific application sector
- Special purpose policy languages
- Assurance general concepts
- Services certification
- Security certifications
Prerequisites for admission
Knowledge of the Web technologies, of semi-structured data format, and of the main application protocols.
Teaching methods
The theoretical course consists of traditional lectures. During the course practical activities on web services programming will be organized.
Teaching Resources
Web site:

Slides and notes of the course

Additional documentation: C.A. Ardagna, E. Damiani, N. El Ioini "Open Source Systems Security Certification," Springer, 2008.
Assessment methods and Criteria
The exam is composed of a written test and the presentation of a project.

The written test, that will last one hour and half, will include questions and practical exercises based on course syllabus. The project activity, to be agreed with the Professor, will consist in the developing of an application implementing the security protocols studied during the course. The project can be made in groups up to three students.

When the student successfully passes the written test and after the presentation of the project, a final evaluation is computed, expressed in thirtieths, considering: the knowledge of the topics, ability of applying the learned knowledge to the resolution of a practical project, project quality, critical thinking skills, clarity of exposition, and property of language.
INF/01 - INFORMATICS - University credits: 6
Lessons: 48 hours
Professor: Damiani Ernesto