Abstract
A Web service [8] is a Web-based application that can be published, located and invoked across the Web. Compared to centralized systems and client-server environments, a Web service environment is much more dynamic and security for such an environment poses unique challenges. However, while Web services are rapidly becoming a fundamental paradigm for the development of complex Web applications, several security issues still need to be addressed. Some proposals for securing Web services have been presented [1, 2, 4] over the last two years. In particular, the SAML [1] and XACML [6] standards provide a sound basis for the development of the secure infrastructure for Web services. SAML, acronimous of Security assertion markup language, is an XML based framework for exchanging security information, developed by the OASIS XML-Based Security Services Technical Committee, whereas XACML is a speci.cation that is used in conjunction with SAML, and it provides a means for standardizing access control decision for XML documents. However, none of these technologies provide a general and formal model for access control of web services. Indeed, among the various open issues concerning security, an important issue is represented by the development of suitable access control models, able to restrict access to Web services to authorized users. At .rst glance, it may seem that such an issue may be solved by relying on security technologies commonly adopted for Web sites. Indeed, there is a number of embedded software applications whose purpose is to control access to web service applications. But such an approach is not adequate when dealing with loosely coupled applications as the Web service technology asks, and can just be considered as a temporary solution until more appropriate techniques be devised.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Advancing SAML, an XML-based security standard for exchanging authnetication and authorization information , http://www.oasis-open.org/committees/security
Atkinson, B., et al.: Web services security (ws-security) (April 2002), http://msdn.microsoft.com/ws/2002/04/Security
Bertino, E., Ferrari, E., Squicciarini, A.: Trust-X: A Peer to Peer Framework for Trust Negotiations. IEEE Transactions on Knowledge and Data Engineering (to appear)
Damiani, E., Vimercati, S.D.C.D.: Towards securing XML Web services. In: Proceedings of the 2002 ACM workshop on XML security, Fairfax, VA (November 2002)
Box, D., et al.: Simple Object Access Protocol (SOAP) 1.1, Technical Report W3C (2000)
Defining XACML, an XML specification for expressing policies for information access over the internet , http://www.oasis-open.ord/committes/xacml
Liberty Alliance Project, http://www.projectliberty.org/
World Wide Web Consortium.: Web Service, http://www.w3.org/2002/ws/
World Wide Web Consortium XML Signature Syntax and Processing, W3C Candidate Reccomendation (2001), http://www.w3.org/TR/2001/CR-xmldisigcore-20010419
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bertino, E., Squicciarini, A.C. (2004). A Flexible Access Control Model for Web Services. In: Christiansen, H., Hacid, MS., Andreasen, T., Larsen, H.L. (eds) Flexible Query Answering Systems. FQAS 2004. Lecture Notes in Computer Science(), vol 3055. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-25957-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-540-25957-2_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22160-9
Online ISBN: 978-3-540-25957-2
eBook Packages: Springer Book Archive