由於網路服務具有鬆散藕合的架構、跨越異質環境或平台、防火牆的穿透性及元件重覆使用性等特色，使得企業在各系統間整合更加快速。網路服務是由WSDL、SOAP、UDDI等XML形式文件所組成，這些文件都是明文的形式，而且WSDL裡描述了如何使用網路服務的資訊，例如：函式名稱、參數型態、回傳值…等等有用的訊息，更讓有心人士容易取得網路服務的漏洞，透過SOAP來攻擊，造成企業嚴重損失。

隨著企業建置網路服務數量的增加，未來網路服務的攻擊將會如雨後春筍般大量出現，因此如何解除網路服務上的安全疑慮，一直是企業關心的重大議題。儘管目前網路服務安全規格已日趨成熟，但在應用的過程中卻不夠完備－企業在建置網路服務的過程中，無法清楚地了解到整個安全架構上的輪廓，某個安全模組要放在系統架構的哪一部份，以及系統元件間相互連結的安全性等。

本研究根據W3C、IETF組織公佈的XML安全規範；微軟、IBM和Verisign所設計的WS-Security規格等，整理分析相關知識作為研究基礎，並針對網路服務環境的安全保護，提出一套整合性網路服務安全架構（Web Services Integrated Security Architecture）。在網路服務開發的流程中，提供所需之安全模組，利用Java來實作雛型系統，並輔以範例驗證此模型的可行性與實用性。未來企業在開發、整合網路服務元件時皆可藉由此架構來套用適當的安全元件模組。

Due to the Web Services are provided with the framework features of loosely coupling, crossing over the environment of heterology or the platform, the penetrability of the firewall, and the reusable ability of the components, which make the integration faster than ever in every system of corporations. The Web Services comprise the XML forms of documents such as WSDL, SOAP, UDDI. These documents are all in the forms of clear text, in addition, they describe how to use the information of the Web Services in WSDL. For instance, the beneficial information such as function name, parameter type, return value and so forth, which enable men who are ill-disposed to find a loophole in the Web Services easily, then attack Web Services through the SOAP, and accounted for the acute problems of corporations.

With the increasing number of the Web Services set by firms, the assaults against the Web Services will mushroom in the future. Accordingly, how to solve the qualms about the Web Services is always the vital issue which firms focus on. In spite of the security standard of the Web Services has developed, it is not completed in the process of application. In the process of setting the Web Services, corporations cannot understand the whole contour of the security framework clearly, where to put a certain security module into a certain part of the system framework, and the security of the interconnection among systems in components.

According to the XML safety measures announced by the organizations of W3C and IETF, and the WS-Security standard designed by Microsoft, IBM and Verisign, this research arranged and analyzed the related information for the backbone of the study, and brought up a set of Web Services Integrated Security Architecture which focused on Web Services Environment security protection. In the procedures of developing Web Services, this research supplied the necessary security modules, used Java to implement the model system, and provided patterns to verify the feasibility and the practicality of this module. Consequently, firms can follow the framework using moderate security components module when developing and integrating the components of the Web Services in the future.

石俊彬，李卓俊，楊淑芬，鄭博文，”企業網路服務的攻擊型態分析”，CCL TECHNICAL JOURNAL，2005。

李卓俊，鄭博文，楊淑芬，”從網路服務安全看防火牆面臨之挑戰”，CCL TECHNICAL JOURNAL，2004。

李宜儒，「Web Services應用在企業資訊整合的安全性議題及解決方案之研究」，國立台灣大學資訊管理學研究所碩士論文，2004。

簡長成，「電子商務上應用XML安全技術的架構：XMLSeF」，國立中央大學資訊管理研究所碩士論文，2002。

Ardagna, C., A., Damiani, E., De Capitani di Vimercati, S., & Samarati, P., “A Web Service Architecture for Enforcing Access Control Policies.“, Electronic Notes in Theoretical Computer Science, vol.142, Issue 1, pp.47-62, 2006.

Bartel, M., Boyer, J., Fox, B., LaMacchia, B., & Simon, E., “XML-Signature Syntax and Processing.”, World Wide Web Consortium, http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/, 2002.

Beznosov, K., Flinn D., Kawamoto, S., & Hartman, B., “Introduction to Web services and their security.”, Information Security Technical Report, vol.10, Issue 1, pp.2-14, 2005.

Booth, D., & Liu, C.K., “Web Services Description Language（WSDL）Version 2.0 Part 0: Primer.”, World Wide Web Consortium, http://www.w3.org/TR/2005/WD-wsdl20-primer-20050803/, 2005.

Burstein, M., Christoph , B., Michal , Z., Tim , F., Michael , N, H., Massimo , P., Amit , P, S., & Stuart , W., “A Semantic Web Services Architecture.” IEEE Internet Computing, 9(5):72-81, 2005.

Bussler, C., Maedche, A., & Fensel, D., “Web Services: Quo Vadis?.”, IEEE Intelligent Systems, vol. 18, Issue 1, pp. 80-82, 2003.

Cantor, S., Kemp, J., Philpott, R., & Maler, E., “Assertions and Protocols for the OASIS Security Assertion Markup Language（SAML）V2.0.”, Organization for the Advancement of Structured Information Standards（OASIS）, http://docs.oasis-open.org/security /saml/v2.0/, 2005.

Champion, M., Ferris, C., Newcomer, E., & Orchard, D., “Web Services Architecture.”, World Wide Web Consortium, http://www.w3.org/TR/2002/WD-ws-arch-20021114/, 2002.

Clement, L., Hately, A., Riegen, C., & Rogers, T., “UDDI Version 3.0.2 Specification.”, Organization for the advancement of Structured Information Standards, http://uddi.org/pubs/uddi-v3.0.2-20041019.htm, 2004.

Curbera, F., Duftler, M., Khalaf, R., Nagy, W., Mukhi, N., & Weerawarana, S., “Unraveling the Web Services Web: an Introduction to SOAP, WSDL, and UDDI.”, IEEE Internet Computing, vol. 6, Issue 2, pp. 86-93, 2002.

Curphey, M., “Web services: Developers dream or hackers heaven?.”, Information Security Technical Report, vol.10, Issue 1, pp.228-235, 2005.

David, C., & Kirill, Y., “Security development in Web Services environment.”, Computer Standards & Interfaces, vol.27, Issue 3, pp.233-240, 2004.

Fense, D., & Bussler, C., “The Web Service Modeling Framework WSMF.”, Electronic Commerce Research and Applications, vol. 1, Issue 2, pp. 113-137, 2002.

Geuer-Pollmann, C., & Claessens, J., “Web services and web service security standards.”, Information Security Technical Report, vol. 10, Issue 1, pp.15-24, 2005.

Gutierrez, C., Fernandez-Medina, E., & Piattini, M., “Web Services Security: Is the Problem Solved?.”, Information Systems Security, vol. 13, Issue 1, pp.22-31, 2004.

Gutierrez, C., Fernandez-Medina, E., & Piattini, M., “Towards a process for Web Services Security.”, Journal of Research and Practice in Information Technology, vol. 38, Issue 1, pp.298-308, 2006.

Imamura, T., Dillaway, B., & Simon, E., “XML Encryption Syntax and Processing.”, World Wide Web Consortium, http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/, 2002.

Kearney, P., “Message level security for web services.”, Information Security Technical Report, vol.10, Issue 1, pp.41-50, 2005.

Macphee, A., & O’Neill, M., “Notes from the field: Implementing a security solution for Web Services.”, Information Security Technical Report, vol.10, Issue 1, pp.25-32, 2005.

Makino, S., Tatsubori, M., Tamura, K., & Nakamura, Y., ”Improving WS-Security Performance with a Template-Based Approach.”, ICWS’05, pp.581-588, 2005.

Mohammad A, R., Rits M., and Andreas S., ”Towards Secure SOAP Message Exchange in SOA.”, http://www.owasp.org/images/4/4b/AnInlin eSOAPValidationApproach-MohammadAshiqurRahaman.pdf, 2006.

Moses, T., “eXtensible Access Control Markup Language（XACML）Version 2.0.”, Organization for the Advancement of Structured Information Standards, http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf, 2005.

Roberts, A., & Tauber, J., “The Web Services Revolution.”, Sun’s 2001 World Wide Java Developer Conference, 2001.

Wang, H., Huang, J.Z., Qu, Y. & Xie, J., “Web services: problems and future directions.”, Journal of Web Semantic, vol.1, Issue 1, pp.309-320, 2003.