{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,12]],"date-time":"2025-11-12T03:16:55Z","timestamp":1762917415045,"version":"build-2065373602"},"reference-count":47,"publisher":"MDPI AG","issue":"2","license":[{"start":{"date-parts":[[2012,4,20]],"date-time":"2012-04-20T00:00:00Z","timestamp":1334880000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/3.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Future Internet"],"abstract":"<jats:p>An important aspect for the acceptance of Service-Oriented Architectures is having convenient ways to help designers build secure applications. Numerous standards define ways to apply security in web services. However, these standards are rather complex and sometimes overlap, which makes them hard to use and may produce inconsistencies. Representing them as patterns makes them easier to understand, to compare to other patterns, to discover inconsistencies, and to use them to build secure web services applications. Security patterns abstract the key aspects of a security mechanism and can thus be applied by non-experts. We survey here our work on security patterns for web services and their standards and we put them in perspective with respect to each other and to more fundamental patterns. We also consider other patterns for web services security. All the patterns described here have been previously published, we only show here one of them in detail as an illustration of our style for writing patterns. Our main purpose here is to enumerate them, show their use, and show how they relate to each other.<\/jats:p>","DOI":"10.3390\/fi4020430","type":"journal-article","created":{"date-parts":[[2012,4,20]],"date-time":"2012-04-20T11:01:48Z","timestamp":1334919708000},"page":"430-450","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["A Survey of Patterns for Web Services Security and Reliability Standards"],"prefix":"10.3390","volume":"4","author":[{"given":"Eduardo B.","family":"Fernandez","sequence":"first","affiliation":[{"name":"Florida Atlantic University, 777 Glades, Boca Raton, FL 33431, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ola","family":"Ajaj","sequence":"additional","affiliation":[{"name":"Florida Atlantic University, 777 Glades, Boca Raton, FL 33431, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ingrid","family":"Buckley","sequence":"additional","affiliation":[{"name":"Florida Atlantic University, 777 Glades, Boca Raton, FL 33431, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nelly","family":"Delessy-Gassant","sequence":"additional","affiliation":[{"name":"Florida Atlantic University, 777 Glades, Boca Raton, FL 33431, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Keiko","family":"Hashizume","sequence":"additional","affiliation":[{"name":"Florida Atlantic University, 777 Glades, Boca Raton, FL 33431, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Maria M.","family":"Larrondo-Petrie","sequence":"additional","affiliation":[{"name":"Florida Atlantic University, 777 Glades, Boca Raton, FL 33431, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2012,4,20]]},"reference":[{"key":"ref_1","unstructured":"Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software, Addison-Wesley."},{"key":"ref_2","unstructured":"Schumacher, M., Fernandez, E.B., Hybertson, D., Buschmann, F., and Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering, Wiley."},{"key":"ref_3","unstructured":"Fernandez, E.B. (2012). Security Patterns in Practice: Building Secure Architectures Using Software Patterns, John Wiley & Sons."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Mouratidis, H., and Giorgini, P. (2006). Integrating Security and Software Engineering: Advances and Future Vision, IGI Gloga.","DOI":"10.4018\/978-1-59904-147-6"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Delessy, N., and Fernandez, E.B. (2008, January 4\u20137). A Pattern-driven Security Process for SOA Applications. Proceedings of the 3rd International Conference on Availability, Reliability, and Security (ARES 2008), Barcelona, Spain.","DOI":"10.1109\/ARES.2008.89"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Fernandez, E.B., and Delessy, N. (2006, January 23\u201325). Using Patterns to Understand and Compare Web Services Security Products and Standards. Proceedings of the International Conference on Web Applications and Services (ICIW\u201906), Guadeloupe, French Caribbean.","DOI":"10.1109\/AICT-ICIW.2006.202"},{"key":"ref_7","unstructured":"Fernandez, E.B., Hashizume, K., Buckley, I., Larrondo-Petrie, M.M., and VanHilst, M. (2009). Web Services Security Development and Architecture: Theoretical and Practical Issues, IGI Global Group."},{"key":"ref_8","unstructured":"Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., and Stal, M. (1996). Pattern- Oriented Software Architecture, Wiley."},{"key":"ref_9","unstructured":"Fernandez, E., and Pan, R. (2001, January 11\u201315). A pattern Language for Security Models. Proceedings of the 8th Conference on Pattern Language of Programs (PLoP2001), Monticello, IL, USA."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"De Capitani di Vimercati, S., Samarati, P., and Jajodia, S. (2005, January 28\u201330). Policies, Models, and Languages for Access Control. Proceedings of the (Databases in Networked Information Systems)DNIS 2005, Aizu-Wakamatsu, Japan.","DOI":"10.1007\/978-3-540-31970-2_18"},{"key":"ref_11","first-page":"397","article-title":"Access control: Principles and solutions","volume":"33","author":"Paraboschi","year":"2002","journal-title":"Softw Pract. Exp."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Delessy, N., Fernandez, E.B., Larrondo-Petrie, M.M., and Wu, J. (2007, January 5\u20138). Patterns for Access Control in Distributed Systems. Proceedings of the 14th Pattern Languages of Programs Conference (PLoP2007), Monticello, IL, USA.","DOI":"10.1145\/1772070.1772074"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Farkas, C., and Samarati, P. (2004). Research Directions in Data and Applications Security XVIII, Springer.","DOI":"10.1007\/b115770"},{"key":"ref_14","unstructured":"Delessy-Gassant, N., Fernandez, E.B., Rajput, S., and Larrondo-Petrie, M.M. (2004, January 8\u201312). Patterns for Application Firewalls. Proceedings of the Pattern Languages of Programs Conference (PLoP) 2004, Monticello, IL, USA."},{"key":"ref_15","unstructured":"Delessy, N., and Fernandez, E.B. (2005, January 7\u201310). Patterns for the eXtensible Access Control Markup Language. Proceedings of the 12th Pattern Languages of Programs Conference (PLoP2005), Monticello, IL, USA."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Ajaj, O., and Fernandez, E.B. (2010, January 23\u201326). A Pattern for the WS-Policy Standard. Proceedings of the 8th Latin American Conference on Pattern Languages of Programs (SugarLoafPLoP 2010), Salvador, Bahia, Brazil.","DOI":"10.1145\/2581507.2581511"},{"key":"ref_17","unstructured":"OASIS, WS-Trust 1.4. Available online:http:\/\/docs.oasis-open.org\/ws-sx\/ws-trust\/v1.4\/cd\/ws-trust-1.4-spec-cd-01.pdf."},{"key":"ref_18","unstructured":"Fernandez, E.B., Delessy, N.A, and Larrondo-Petrie, M.M. (2006, January 22\u201326). Patterns for Web Services Security. Proceedings of the 21st International Conference on Object-Oriented Programming, Systems, Languages, and Applications, Portland, OR, USA."},{"key":"ref_19","unstructured":"Lockhart, H., Andersen, S., Bohren, J., Sverdlov, Y., Hondo, M., Maruyama, H., Nadalin, A., Nagaratnam, N., Boubez, T., and Morrison, K.S. Web Services Federation Language (WS-Federation) Version 1.1. Available online:http:\/\/download.boulder.ibm.com\/ibmdl\/pub\/software\/dw\/specs\/ws-fed\/WS-Federation-V1-1B.pdf?S_TACT=105AGX04&S_CMP=LP."},{"key":"ref_20","unstructured":"OASIS, WS-SecureConversation 1.3. Available online:http:\/\/docs.oasis-open.org\/ws-sx\/ws-secureconversation\/200512\/ws-secureconversation-1.3-os.html."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Hashizume, K., and Fernandez, E.B. (2009, January 17\u201319). A Pattern for WS-Security. First IEEE Int. Workshop on Security Eng.Environments, Shanghai, China.","DOI":"10.1016\/S1353-4858(09)70030-3"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Hashizume, K., and Fernandez, E.B. (2009, January 28\u201330). Symmetric Encryption and XML Encryption Patterns. Proceedings of the 16th Conference on Pattern Languages of Programs (PLoP 2009), Chicago, IL, USA.","DOI":"10.1145\/1943226.1943243"},{"key":"ref_23","unstructured":"Hashizume, K., Fernandez, E.B., and Huang, S. (2009, January 8\u201312). Digital Signature with Hashing and XML Signature patterns. Proceedings of the 14th European Conference on Pattern Languages of Programs (EuroPLoP 2009), Bavaria, Germany."},{"key":"ref_24","unstructured":"XML Signature Syntax and Processing. Available online:http:\/\/www.w3.org\/TR\/xmldsig-core."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Delessy, N., Fernandez, E.B., and Larrondo-Petrie, M.M. (2007, January 4\u20139). A Pattern Language for Identity Management. Proceedings of the 2nd IEEE International Multiconference on Computing in the Global Information Technology (ICCGI 2007), Guadeloupe, French Caribbean.","DOI":"10.1109\/ICCGI.2007.5"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"624","DOI":"10.1007\/978-3-540-72909-9_69","article-title":"Adapting Web Services Security Standards for Mobile and Wireless Environments","volume":"4537\/2007","author":"Delessy","year":"2007","journal-title":"Lect. Notes Comput. Sci."},{"key":"ref_27","unstructured":"W3C, Web Services Policy 1.5\u2014Framework. Available online:http:\/\/www.w3.org\/TR\/ws-policy\/."},{"key":"ref_28","unstructured":"OASIS, W-S SecurityPolicy 1.2. Available online:http:\/\/docs.oasis-open.org\/ws-sx\/ws-securitypolicy\/v1.2\/ws-securitypolicy.pdf."},{"key":"ref_29","unstructured":"Buckley, I., Fernandez, E.B., Rossi, G., and Sadjadi, M. (2009, January 1\u20133). Web Services Reliability Patterns. Proceedings of the 21st International Conference on Software Engineering and Knowledge Engineering (SEKE\u20192009), Boston, MA, USA."},{"key":"ref_30","first-page":"345","article-title":"Attack patterns: A new forensic and design tool","volume":"242\/2007","author":"Fernandez","year":"2007","journal-title":"IFIP Int. Fed. Inf. Process."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Mu\u00f1oz-Arteaga, J., Fernandez, E.B., and Caudel, H. (2011, January 5\u20137). Misuse Pattern: Spoofing Web Services. Proceedings of the Asian Pattern Languages of Programs Conference, 2011, Toyko, Japan.","DOI":"10.1145\/2524629.2524643"},{"key":"ref_32","unstructured":"Box, D. Available online:http:\/\/msdn.microsoft.com\/en-us\/library\/aa479664.aspx."},{"key":"ref_33","unstructured":"WebSphere DataPower XML Security Gateway XS40. Available online:http:\/\/www-01.ibm.com\/software\/integration\/datapower\/xs40\/."},{"key":"ref_34","unstructured":"The SecureSpan XML Firewall. Available online:http:\/\/www.layer7tech.com\/main\/products\/xml-firewall.html."},{"key":"ref_35","unstructured":"Vordel STS. Available online:http:\/\/www.vordel.com\/solutions\/security_token_services.html."},{"key":"ref_36","unstructured":"PingTrust, a standalone Security Token Server. Available online:http:\/\/www.pingidentity.com\/about-us\/news-press.cfm?customel_datapageid_1173=1404."},{"key":"ref_37","unstructured":"Web Services Metadata Exchange. Available online:http:\/\/www.w3.org\/TR\/ws-gloss\/."},{"key":"ref_38","unstructured":"Fayad, M.E., and Hamza, H. The Trust Analysis Pattern. Available online:http:\/\/sugarloafplop2004.ufc.br\/acceptedPapers\/ww\/WW_1.pdf."},{"key":"ref_39","unstructured":"Morrison, P., and Fernandez, E.B. The credentials pattern. Available online:http:\/\/portal.acm.org\/citation.cfm?id=1415472.1415483."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Zirpins, C., Lamersdorf, W., and Baier, T. (2004, January 15\u201318). Flexible Coordination of Service Interaction Patterns. Proceedings of the Second International Conference on Service-Oriented Computing (ICSOC\u201904), New York, NY, USA.","DOI":"10.1145\/1035167.1035175"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1145\/844339.844346","article-title":"Overview of some patterns for architecting and managing composite web services","volume":"3","author":"Benatallah","year":"2002","journal-title":"ACM SIGecom Exch."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Tatsubori, M., Imamura, T., and Nakamura, Y. (2004, January 6\u20139). Best-Practice Patterns and Tool Support for Configuring Secure Web Services Messaging. Proceedings of the IEEE International Conference on Web Services (ICWS\u201904), San Diego, CA, USA.","DOI":"10.1109\/ICWS.2004.1314745"},{"key":"ref_43","unstructured":"Imamura, T., and Tatsubori, M. (2003, January 26\u201331). Patterns for Securing Web Services Messaging. Proceedings of the OOPSLA Workshop on Web Services and Service Oriented Architecture Best Practice and Patterns, Anaheim, CA, USA."},{"key":"ref_44","doi-asserted-by":"crossref","unstructured":"Grushka, N., Jensen, M., and LoIacono, L. (2010, January 15\u201318). A Design Pattern for Event-Based Processing of Security-enriched SOAP Messages. Proceedings of the International Conference on Availability, Reliability, and Security (ARES 2010), Krakow, Poland.","DOI":"10.1109\/ARES.2010.23"},{"key":"ref_45","unstructured":"Erl, T. (2009). SOA Design Patterns, Prentice Hall."},{"key":"ref_46","unstructured":"Web Service Security Patterns\u2014Community Technical Preview. Available online:http:\/\/msdn.microsoft.com\/en-us\/library\/ff648183.aspx."},{"key":"ref_47","unstructured":"Steel, C., Nagappan, R., and Lai, R. (2005). Core Security Patterns: Best Strategies for J2EE, Web Services, and Identity Management, Prentice Hall."}],"container-title":["Future Internet"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1999-5903\/4\/2\/430\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T21:49:55Z","timestamp":1760219395000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1999-5903\/4\/2\/430"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012,4,20]]},"references-count":47,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2012,6]]}},"alternative-id":["fi4020430"],"URL":"https:\/\/doi.org\/10.3390\/fi4020430","relation":{},"ISSN":["1999-5903"],"issn-type":[{"type":"electronic","value":"1999-5903"}],"subject":[],"published":{"date-parts":[[2012,4,20]]}}}