AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

IMPLEMENTING WEB SERVICE SECURITY POLICIES FOR EDUCATION
DATABASE SYSTEM
Nguyen Hoang Tung1, Nguyen Van Hoa1
1

An Giang University, VNU - HCM

Information:
Received: 20/02/2019
Accepted: 29/03/2019
Published: 11/2019
Keywords:
Web service, security,
identification, authentication,
authorization

ABSTRACT
Today, information security is particularly relevant when considering the
increasing risk of information security when exchanging data on the Internet
between applications and web services. In this article, we analyze the
information security risks of web services, evaluate existing solutions, and
then select the most effective policies for the education database system. We
have implemented security policies including authentication, authorization.
In which authentication is based on OAuth 2.0 and JSON web tokens (JWT).
We have also implemented two authorization filters with the roles of raw
authorization filter and fine-grained authorization filter for improving the
effectiveness of the authorization. Experimental results show that the running
time of fine-grained authorization filter is negligible.

select and implement synchronous information
security policies.

1. INTRODUCTION
Today, the exchange of information on the
Internet is ever-expanding. Therefore, the need for
information
security
when
exchanging
information is an urgent and vital requirement for
robust information systems. The exchange of
information on the Internet often contains a lot of
risks because of the constant attacks of many
parties in order to eavesdrop on the content of
information, change messages, impersonate and
replay
information.
According
to
an
announcement by the Information Security
Department on May 9, 2016, Vietnam only is
ranked 76 over 196 countries and territories on
information security metrics. Therefore, in order
to minimize the risks of information exchange on
the Internet when deploying a new information
system, we need to analyze and assess
information security risks from which we will


In the era of the information explosion, web
technology has become a familiar and widelyused platform. Many large organizations, such as
Google, Amazon, Ebay, Paypal, and Facebook,
have made substantial strides thanks to the
development of the website based on the web
service platform. Web services support web
developers to build distributed applications with a
large number of users in many different locations
which client/server models can not be solved by
(Bruijn et al. 2016). Unlike the traditional
client/server models, a web service doesn’t
provide a graphical interface. Instead, a web
service provides standard methods to share and
process data through the interface of the
application. A web service is a systematic
application designed to support interoperability
between applications running on the platform of

74


AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

different information technology adoption XML
or JSON, SOAP, WSDL, UDDI and internet
protocols (Ardagna et al. 2006).

The next section presents the existing information
security policies’s web service. The third section
is composed of an analysis of security

requirements, and a resulting selection and
construction of security policies for the education
database system of An Giang province.
Conclusions and directions are addressed in the
final section.

Web service resources have been defined by the
URL to perform functions and provide
information to other applications when required.
A web service is established by synthesis
functions and packaged so that other applications
can easily access, and it also can send information
requests to another.

2. WEB SERVICE SECURITY POLICIES
2.1 Web service component model

As we know, common security standards for
information systems transactions on the Internet
often have to focus on the criteria such as
identification,
authentication,
authorization,
integrity, auditing and confidentiality (Peltier
2014 ). Therefore, the following security standard
is the standard for web service security for access
protocol (SOAP) and the extension of this
protocol (Bhandari and Wadhe 2014).

Web services include 3 main components: SOAP,

WSDL and UDDI. The relationship between three
standards organizes web service architecture is
presented in Figure 1.
The web service architecture includes a set of
network protocols to define, locate, implement
and create a web service to interact with other
applications or services. In particular, UDDI is
used to register and discover web service that has
been described specifically in WSDL. Transaction
UDDI uses SOAP to communicate with the UDDI
server, then the SOAP requests a web service.
SOAP messages are sent exactly by protocol
HTTP and TCP/IP. Two of the four main
components of the web service protocols are
Service Transport and XML messages. Transport
service transmits messages between

The trend of developing information systems
based on web services is inevitable because of its
advantages. However, this particular trend faces
many challenges, many of which are related to
information security. In this article, we will focus
on introducing the challenges of information
security system's web services as well as common
solutions. Based on that, we select and implement
effective policies for the education database
system of An Giang province.

UDDI
(Service registry)


Describe service
(WDSL)

Publish
service

Find service
SOAP
Service
consumer

Messages

Figure 1. web service overview

75

Service Provider


AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

network applications, including protocols such as
HTTP, SMTP, FTP, and protocol JSM given
constant expansion blocks (Blocks Extensible
Exchange Protocol- BEEP). XML messages are
responsible for decoding messages in XML
format so that they can be understood at the
application level to interact with the user.

Currently, the protocols that perform this task are
SOAP and REST (Fielding 2000).

Web services may be public or have access points
available for public data, but there are also many
access points that need to be controlled in
resource intensive applications. In order to
enforce access control, the issuing entity must
first be identified and authenticated, which is a
process known as identity management. Identity
management includes two important elements:
authentication and authorization.

2.2 Web service security policies

Authentication is the process of identifying an
entity through an identifier and verifying identity
through the authentication of information
provided by the competent authority. Users can
authenticate identity through one of three types of
login
information:
what
the
person
knows/remembers (such as passwords, PINs);
what users own (such as certificates, USB
dongles); and what belongs to the user (such as
fingerprints).


Web services allow linking and interacting with
the applications via the Internet, so security is an
issue of top concern for combining applications
with a web service. Implementing security
policies for web services is very important to
protect information from unauthorized access. A
security information system is a system where the
processed information must ensure three
characteristics (Stallings 2011):
-

Confidentiality:
Preserving
authorized
restrictions on information access and
disclosure, including means for protecting
personal privacy and proprietary information.
A loss of confidentiality is characterized by
the unauthorized disclosure of information.

-

Integrity:
Guarding
against
improper
information modification or destruction,
including ensuring information nonrepudiation
and authenticity. A loss of integrity is
constituted by the unauthorized modification

or destruction of information.

-

When an identity authentication is set, the
application can access and control resources based
on this identity. This process is called
authorization. A simple application can allow
access to significant resources entirely based on
identity. However, most of the applications that
have policies allowing access based on attributes
such as role, are linked with the identity and
authenticated.
Role-based security is the most commonly used
security model in organizations or business
applications. Key benefits of using a model with
this layout is that it is easy to organize users.
Access rights are not granted directly to an
individual user, but to an abstraction called a role.
The user is assigned to one or more roles, through
which the user will have access to the resources.

Availability: Ensuring timely and reliable
access to and use of information. A loss of
availability is comprised of the disruption of
access to or use of information or an
information system.

2.2.2 Authentication and authorization methods


Based on the three characteristics of a security
information system, the security policies of the
proposed
web
service
include
identity
management, authentication and authorization,
encryption and digital certificates.

- Basic authentication is partially a description of
the HTTP protocol (Lakshmiraghavan 2013). This
authentication process occurs when the client
requests resources that need to be authenticated.
The authentication server then sends the code
containing the status of unauthorized access. The

2.2.1 Identity management
76


AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

client must then send an authorization header
containing the login credentials. If the login
information is valid, the server will reply with the
status of a successful login.

- Access token (Access Token) is a string
representing the authorization given to the client.

Because the access token is issued by an
authorized server and used by the resource server,
OAuth 2.0 does not specify how the access token
should be structured or formatted. This depends
on the resource server and the authorized server.
Access tokens can be generated according to some
specifications such as simple web tokens (SWT)
or JSON web tokens (JWT) ( Bradley 2016).

- Authentication messages are also part of the
HTTP protocol, but they differ from basic
authentication because the actual password is not
sent to the server, and instead a hash code,
message authentication code, or a message code is
sent (Lakshmiraghavan 2013). When the server
receives the message sent from the client along
with the user's name, it will hash the user's
password stored on the server to get the hash
value. If the hash value matches the message the
user sent, the authentication is successful.

2.2.3 Encryption and digital certificate
Applications conduct transactions with the web
service through sending access requests to
resources. After identifying and checking access,
data exchange will be performed between the
client application and the web service. The typical
format of information is now either XML or
JSON. They are two plain texts so the information
can be read by anyone. Therefore, the data

transmission channel between client application
and web service must be secured through HTTPS
protocol. The HTTPS protocol is designed to
secure HTTP by allowing it to work over
SSL/TLS protocols (IBM 2018).

- Open authorization (OAuth) is proposed when
the need to share resources between applications,
also known as resource sharing to third parties,
without having to share that user's credentials.
The first version of OAuth is 1.0 and it is a
protocol. This version works in three steps: (1)
The client sends a temporary confirmation request
to the server; (2) The server performs a temporary
validation process and allows the real access
request to be granted a temporary token (token);
(3) The server returns the client access token
(Access token) based on provisional credentials
and temporary tokens. Version OAuth 2.0 was
released in 2012 to improve the limitations of
OAuth 1.0. Version 2.0 is seen as a framework
and is used today (Hardt 2012).

3. IMPLEMENTING
WEB
SERVICE
SECURITY
POLICIES
FOR
EDUCATION DATABASE SYSTEM

3.1 Education database system of An Giang
province

APPLICATIONS
RESTFUL WEB SERVICE
AGEDU
HRM

AGEDU
SCHOOL

AGEDU
EAM

AGEDU
FM

Figure 2. Achitecture model of education database system

77


AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

The education database system of An Giang
province, referred to as the “database system,”
aims to support the management and
administration of the provincial education sector.
The system includes a database of four
components: human resource management

(HRM), school management, equipment - asset
management (EAM), and financial management
(FM) such as Figure 2. The database system is
designed on the basis of RESTFul web service
architecture (Lakshmiraghavan 2013). In this
architectural model, applications will not directly
access databases, but they will operate through
API calls in order to access resources on web
services.

employee group have access only to resources
belonging to this user level.
In addition, each user will be assigned to one or
more roles. Each role is linked to the right to
access one of the four components of the
database. For example, users who are teachers in
the employee group should only be allowed to
access the school database, while the accountants
in the staff group should also have access to the
financial database.
3.3 Design and implement security policies for
education database system
Based on reality requirement, there must be
security policies for database system to ensure the
resource access right through identifying,
verifying levels of management access, assigned
position and secure data exchange channel
between applications and web services.

The number of users of the database system is

substantial, with 26.000 user at various levels
ranging from the province to districts, schools, or
staff. In addition, users in a unit, such as teachers,
equipment managers, and accountants, will be
allowed to access different resources depending
on the areas assigned to them.

We propose to divide the system's users into four
user groups (Privilege): the province department
group, the district department group, the school
group and the staff group. Each user only belongs
to one of four user groups. The province
department user group has the highest level of
access as the access to the catalog tables of the
databases with all rights (read, add, delete and
edit) but the rest of the user groups are only
allowed to access directory resources with readonly permission. District department user group,
only the access to the resources of the department
level. Meanwhile, users belonging to the
employee group have access only to resources
belonging to this user level.

3.2 Analysis security requirements of education
database system
Based on reality requirement, there must be
security policies for database system to ensure the
resource access right through identifying,
verifying levels of management access, assigned
position and secure data exchange channel
between applications and web services.

We propose to divide the system's users into four
user groups (Privilege): the province department
group, the district department group, the school
group and the staff group. Each user only belongs
to one of four user groups. The province
department user group has the highest level of
access as the access to the catalog tables of the
databases with all rights (read, add, delete and
edit) but the rest of the user groups are only
allowed to access directory resources with readonly permission. District department user group,
only the access to the resources of the department
level. Meanwhile, users belonging to the

In addition, each user will be assigned to one or
more roles. Each role is linked to the right to
access one of the four components of the
database. For example, users who are teachers in
the employee group should only be allowed to
access the school database, while the accountants
in the staff group should also have access to the
financial database.

78


AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

3.3. Design and implement security policies for education database system

Web API


Password
Token
Password

Token

User

Authorizatio
n
server
Authentication
filter

OWIN
Middleware

OAuth
Database

Web
Application

Authorization
filter 1
Authorization
filter 2
Resources


API action

AGEDU
Database

Figure 3. Model of authentication and authorization of the educational data system

To encode content exchange between applications
and web service as XML or JSON, we use the
HTTPS protocol with the digital certificate
provider DigiCert for the web server running the
home page of the web service. We have also set
up Auditing for important tables.

(d) the authorization filter 1 acts as a coarse filter,
and will conduct inspection role of users with
database is accessible; (e) if users pass through
the filter 1, authorization filter 2 acts as finegrained filter, and will verify access right to the
required API Action.

Besides the security policies, the major focus of
our work is improving authentication OAuth 2.0
model by implementing the Authorization filter 2
in authorization and validation model in order to
meet requirements security for web service as
Figure 3. In this model, the process of
authentication and authorization is done according
through the following steps: (a) users conduct the
login process with their username and password
information; (b) the authorization server

(Authorization server) confirms the login, creates
an access token, and sends it to applications; (c)
the access token is sent to the authentication filter
along with resource access (API action) requests;

To build the proposed model, we designed an
OAuth database with 7 tables to store user
information (tblUsers), user roles (tblUserRoles
and tblRoles) and user groups and access rights to
API's Action of each user group (tblPrivilege,
tblBusiness,
tbl
Permission
and
tblGrantPermission) as shown in Figure 4. In
which tblBusiness stores information tables
of four database components, tbl Permission
stores the information about the API Action of
data tables, tblGrantPermission stores access
rights each user group (Privilege) on each API
Action.

79


AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

Figure 4. Relational schema of OAuth database

always returns the ID of the actionName to look

for; (2) check the actionName access of the
privilege user group if the data stream containing
ID
and
privilege
is
found
in
the
tblGrantPermission table.

We designed the algorithm of authorization filter
2 with 3 input parameters: the name of the data
table (tblName), the name of the API Action
(actionName) and user groups (privilege). This
algorithm has 2 steps: (1) find the ID of
actionName in the tblPermission table by the
parameters tblName and actionName, this step

Authorization filter 2 Algorithm

input:
tblName, actionName
privilege
output:
true|false
foreach r in tblPermission
if (r.ControllerName == tblName and r.ActionName == actionName)
then PermisID = r.PermissionID
foreach r in tblGrantPermission

if (r.Privilege == privilege and r.PermissionID == PermisID)
then granted = r
if (granted is not empty) then return true
else return false

We set up authentication and authorization
policies in Microsoft Visual Studio 2017
environment, C # programming language,
ASP.NET MVC platform. Four education
database components are designed and installed
on the SQL Server 2012 with 258 tables. The

authentication server and authorization filter 1 use
the OWIN library (IBM 2018). This library is
based on OAuth 2.0 architecture. We also use the
JWT access token and use Identity framework 2.0.
Authorization filter 2 is installed on the LINQ

80


AGU International Journal of Sciences – 2019, Vol. 7 (4), 74 – 81

platform to control access to resources for the four
user groups mentioned in section 3.2.

number of data lines in the tblGrantPermission
table is 5.580. Experimental results on the average
running time of the authorization filter 2
algorithm for four user groups are shown in Table

1. Table 1 shows that the average running time of
authorization filter 2 is negligible but the access
control role of this filter is very important in
controlling access to API Action resources.

We have carried out the running time of the
algorithm of Authorization filter 2 through
execution time of SQL query statement in SQL
Server Management Studio. Information about the
experimental data is as follows: actionName
number in table tblPermission is 1.540; The total

Table 1. Average running time of authorization filter 2 algorithm

User group

Staff

School

District
department

Province
department

Running time

15 ms


15 ms

15 ms

15 ms

4. CONCLUSION AND FUTURE WORKS

De Bruijn J., Lausen H., Polleres A., & Fensel D.
(2006) The Web Service Modeling Language
WSML: An Overview. ESWC 2006.

We have presented a solution to implement
security policies for education database system of
An Giang province based on web service
platform. The policies include authentication,
authorization, encryption and auditing. The
authentication and authorization policies are
deployed in the OAuth 2.0 model with token
access web JSON. We have also implemented two
authorization filters with coarse and fine filtering
functions into the OAuth 2.0 model to improve
the efficiency of the authorization policies. In the
future we will develop additional security policies
such as those designed to combat distributed
denial-of-service (DDoS) attacks.

Fielding Roy Thomas. (2000). Architectural
Styles and the Design of Network-based
Software Architectures (doctoral dissertation).

University of California, Irvine.
Hardt D. (2012). The OAuth 2.0 Authorization
Framework.
IBM. (2018). An overview of the SSL or TLS
handshake.
Lakshmiraghavan Badrinarayanan. (2013). Pro
ASP.NET Web API Security.
Lekha V. Bhandari and Avinash P. Wadhe (2014).
Review Paper on Web Service Security.
International Journal on Computer Science and
Engineering.

REFERENCES
Ardagna Claudio Agostino., Ernesto Damiani
Sabrina., De Capitani di Vimercati and
Pierangela Samarati. (2006). A Web Service
Architecture for Enforcing Access Control
Policies. Electronic Notes in Theoretical
Computer Science, 142, 47–62

Peltier Thomas R. (2014). Information Security
Fundamentals (2nd ed). New York: CRC
Press.
William Stallings. (2011). Cryptography and
Network Security: Principles and Practice (5th
ed). Prentice Hall.

Bradley J., Nat. Sakimura., Michael., & Jones.
(2016). JSON Web Token (JWT).


81