在現今的電腦領域中，存在者各種不同的電腦系統，這些不同的電腦系統或是程式之間會需要傳遞一些訊息。以往不同電腦系統之間的訊息傳遞會需要額外的轉換動作，往往是費時又費工，而網路服務的出現提供的一個解決的方法，藉由網路服務的技術，各種電腦系統之間的訊息傳遞簡單了許多。在網路服務技術越來越成熟普及的當下，網路服務的安全性也越來越被重視，而現今有關網路服務安全性的研究大多都只提出理論及架構。因此，本研究使用OASIS組織所制定的可擴展存取控制標記語言(eXtensible Access Control Markup Language，XACML)之架構為基礎實作，利用XACML以屬性為基礎的政策，制訂使我們可以加入各種不同的環境參數如，地點、時間，來進行存取控制之控管，進而增加安全性。本系統也以網路服務的架構建置，如此可以方便的讓各個不同網路服務的提供者可以方便的使用本系統，而在網路傳輸的安全性上使用了超文字傳輸安全協定(Hypertext Transfer Protocol Secure，HTTPS) 。本研究藉由上述之各種方法設計出一個可以方便操作且具高度安全性的網路服務存取控制的系統。

There are various computer systems existing in computer field nowadays. Most of the time these systems or programs send messages to each other. However, these inter-system communications need extra translation which waste time and efforts. The introduction of web services provides a new solution, which makes communication among computer systems much easier. At the present time, web services techniques become more and more mature and popular, so people start to pay much attention on security issues of web services. Currently, most research about security issues of web services provides theory and structure. Therefore, this essay is based on the structure of XACML (eXtensible Access Control Markup Language) which is defined by the organization of OASIS. By defining policy with XACML attribute can help us add many different environmental variables, such as location and time for access control. In this way, the security can be enhanced. In this essay, a system with web services structure is established as well, which makes each different web services provider use it conveniently. It also employs HTTPS (Hypertext Transfer Protocol Secure) for the security of network transmission. With all the techniques described above, this essay designs a user friendly system with high level security of web services access control.

摘要 II
ABSTRACT VI
目錄 VIII
圖目錄 X
表目錄 XII
1. 緒論 1
2. 文獻探討 5
2.1 網路服務 5
2.1.1 SOAP 6
2.1.2 WSDL 7
2.2 網路服務的安全性 8
2.3 身分驗證 9
2.4 存取控制方法 11
3. 系統架構 19
3.1 架構概述 20
3.2 架構內容 21
3.2.1 使用者客戶端(User Client) 21
3.2.2 網路服務存取控制系統 22
3.2.3 網路服務端(Web Services) 28
3.3 運作流程 28
3.3.1 註冊及設定安全資訊 29
3.3.2 網路服務客戶端授權流程 30
3.4 存取控制作法 32
4. 系統實作 37
4.1 系統環境與開發工具 37
4.2 介面實作 37
4.3 網路服務實作 44
4.4 硬體架構 50
4.5 效能分析 52
5. 結論 57
6. 參考文獻 59

[1] ITU, Measuring The Information Society, http://www.itu.int/en/ITU-D/Statistics/Documents/publications/mis2013/MIS2013_without_Annex_4.pdf, 2013.
[2] OASIS, eXtensible Access Control Markup Language(XACML), https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
[3] W3C, Web Services Glossary , http://www.w3.org/TR/2004/NOTE-ws-gloss-20040211/#webservice
[4] W3C, Web Service Description Language (WSDL) 1.1, http://www.w3.org/TR/wsdl , Mar 15, 2001.
[5] W3C, SOAP Version 1.2 Part 0: Primer (Second Edition), http://www.w3.org/TR/soap12-part0/, Apr 27, 2007.
[6] W3C, Web Services Architecture, http://www.w3.org/TR/ws-arch/, Feb11, 2004.
[7] OASIS, UDDI Version 3.02, http://uddi.org/pubs/uddi-v3.0.2-20041019.htm, Oct 10, 2004.
[8] OASIS , Web Services Security(WSS)TC , https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
[9] Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., and Chandramoult, R., Proposed NIST Standard for Role-Based Access Control, ACM Transactions on Information and System Security, Vol. 4, No. 3, pp. 224-274, August. 2001.
[10] Wolter, R., XML Web Services Basics, Microsoft Corporation, http://msdn.microsoft.com, 2001.
[11] Bloomberg, J. and Schmelzer, R., A Guide to Securing XML and Web Services, ZapThink White Paper, http:// www.zapthink.com, 2004.
[12] W3C, XML Encryption WG, http://www.w3.org/Encryption/2001/, 2001.
[13] W3C, XML-Signature Syntax and Processing, http://www.w3.org/TR/xmldsig-core/, Feb, 2002.
[14] OASIS, SAML Version 2.0 Errata 05, http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.html, May, 2012.
[15] W3C, XML Key Management Specification, http://www.w3.org/TR/xkms/, Mar, 2001
[16] U.S. Department of Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, Dec, 1985.
[17] Sandhu , R.S., Coyne , E.J. , Feinstein , H.L., Youman , C. E., Role-Based Access Control Models, IEEE Computer, Vol. 29, No. 2, pp. 38-47, Feb, 1996.
[18] Bonatt, P., and Samarati, P., A unified framework for regulating access and information release on the Web, Journal of Computer Security, Vol. 10, No. 3, pp. 241-272, 2002.
[19] Zhao, G., Chadwick, W. D., On The Modeling of Bell-LaPadula Security Policies Using RBAC, IEEE Conference, pp. 257-262, 2008.
[20] Wonohoesodo, R.,Tari, Z., A Role based Access Control for Web Services, IEEE International Conference on Services Computing, 2004.
[21] Laborde, R., Cheaito, M., Barrere, F., Benzekri, A., An extensible XACML authorization web service: Application to dynamic web sites access control, Fifth International Conference on Signal Image Technology and Internet Based Systems, pp. 1-7, Dec 4, 2009.
[22] Ran, C., Guo, G., Security XACML Access Control Model Based on SOAP encapsulates, International Conference on Computer Science and Service System (CSSS), pp. 2543-2546, Jun 27, 2011.
[23] OASIS, eXtensible Access Control Markup Language (XACML) Version 3.0, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html, Jan, 2013.
[24] W3C, XML Schema Part 2: Datatypes Second Edition, http://www.w3.org/TR/xmlschema-2/, Oct, 2004.
[25] Oracle, Standard Edition Development Kit(JDK), http://www.oracle.com/technetwork/java/javase/downloads/index.html
[26] The Eclipse Foundation, Eclipse Home, http://www.eclipse.org/.
[27] The Apache Software Foundation, Apache Axis2/Java”, http://ws.apache.org/axis2/
[28] The Apache Software Foundation, HTTP Server Project, http://httpd.apache.org/
[29] The Apache Software Foundation, Apache Tomcat, http://tomcat.apache.org/
[30] The Apache Software Foundation, The Apache Tomcat Connector, http://tomcat.apache.org/connectors-doc/generic_howto/loadbalancers.html
[31] The Apache Software Foundation, The Apache Tomcat Connector-AJP Protocol Reference, http://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
[32] The Apache Software Foundation, Apache JMeter, http://jmeter.apache.org/
[33] 資策會，2013年台灣民眾行動與無線上網現況，http://www.find.org.tw/find/hom.aspx?page=many&;id=362
[34] TWNIC， 2013寬頻網路使用調查報告，http://www.twnic.net.tw/download/200307/200307index.shtml
[35] 許雅婷，一個安全的行動付款商業模式，2013