Abstract
Today users consume applications composed by services from different providers across trust domains. By experience we know that security requirements and user identity management make services composition difficult. We believe that delegation of access rights across trust domains will become an essential mechanism in services composition scenarios. Users care about security but cannot deal with the variety of existing solutions for access control. A unified interface of access control and delegation is essential for multi-domain composite services. This paper addresses the problem of identity management for service-centric systems and proposes a novel approach based on an abstract delegation framework supporting different access control mechanisms. We show how the abstract delegation framework is designed to give control and clarity to the user consuming applications based on service composition. Besides the theoretical aspects, the paper shares experiences based on scenarios from the automotive industry.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Tziviskou, C., Di Nitto, E.: Logic-based management of security in web services. In: IEEE SCC, pp. 228–235. IEEE Computer Society, Los Alamitos (2007)
SeCSE: SeCSE IST Project, http://secse.eng.it
Colombo, M., Di Nitto, E., Mauri, M.: Scene: A service composition execution environment supporting dynamic changes disciplined through rules. In: Dan, A., Lamersdorf, W. (eds.) ICSOC 2006. LNCS, vol. 4294, pp. 191–202. Springer, Heidelberg (2006)
Papazoglou, M.: The challenges of service evolution. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074. Springer, Heidelberg (2008) (keynote address)
CEFRIEL, EMIC, L.T.: A4.d14 state of art and impact analysis of identity management. Report, SeCSE project (May 2007), http://www.secse-project.eu/wp-content/uploads/2007/09/a4d14-state-of-the-art-and-impact-analysis-of-identity-management.pdf
CEFRIEL, EMIC, L.T.T.: A4.d16 design of the 3nd version of the secse delivery platform. Report, SeCSE project (September 2007), http://www.secse-project.eu/wp-content/uploads/2007/09/a4d16-design-of-the-3nd-version-of-the-service-delivery-platform.zip
SeCSE Consortium: Design of the 3rd version of the SeCSE delivery platform (focused on IdM). Public report A4.D19, SeCSE Project (February 2008), http://secse.eng.it/wp-content/uploads/ .
Nadalin, A., Goodner, M., Gudgin, M., Barbir, A., Granqvist, H.: OASIS WS-Trust 1.4. Specification Version 1.4, OASIS, Currently in draft status, refer to version 1.3 for latest approved version (February 2008)
Moses, T.: OASIS eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard oasis-access_control-xacml-2.0-core-spec-os, OASIS (February 2005)
Cavallaro, L., Di Nitto, E.: An approach to adapt service requests to actual service interfaces. In: SEAMS 2008: Proceedings of the 2008 international workshop on Software engineering for adaptive and self-managing systems, pp. 129–136. ACM, New York (2008)
Active Endpoints: The ActiveBPEL Community Edition Engine, http://www.activevos.com/community-open-source.php
JBoss: Drools, http://www.jboss.org/drools/
Di Penta, M., Esposito, R., Villani, M.L., Codato, R., Colombo, M., Di Nitto, E.: Ws binder: a framework to enable dynamic binding of composite web services. In: ICSE Workshop on Service-Oriented Software Engineering (IW-SOSE 2006) (2006)
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: Rfc 2693 – spki certificate theory (1999)
Becker, M.Y., Gordon, A.D., Fournet, C.: Secpal: Design and semantics of a decentralized authorization language. Technical Report MSR-TR-2006-120, Microsoft Research (September 2006)
Google: Google calendar, http://www.google.com/calendar
Robinson, P., Kerschbaum, F., Schaad, A.: From business process choreography to authorization policies. In: [27] pp. 297–309 ISBN 978-3-540-36796-3
Mukkamala, R., Atluri, V., Warner, J., Abbadasari, R.: A distributed coalition service registry for ad-hoc dynamic coalitions: A service-oriented approach. In: [27] ISBN 978-3-540-36796-3
Wimmer, M., Kemper, A., Rits, M., Lotz, V.: Consolidating the access control of composite applications and workflows. In: [27], pp. 44–59 ISBN 978-3-540-36796-3
She, W., Thuraisingham, B., Yen, I.L.: Delegation-based security model for web services. In: Proceedings of 10th IEEE High Assurance Systems Engineering Symposium (HASE 2007), pp. 82–91. IEEE Computer Society, Los Alamitos (2007)
López, G., Cánovas, O., Gómez-Skarmeta, A.F., Otenko, S., Chadwick, D.W.: A Heterogeneous Network Access Service Based on PERMIS and SAML. In: Chadwick, D., Zhao, G. (eds.) EuroPKI 2005. LNCS, vol. 3545, pp. 55–72. Springer, Heidelberg (2005)
Freudenthal, E., Pesin, T., Port, L., Keenan, E., Karamcheti, V.: dRBAC: Distributed role-based access control for dynamic coalition environments. In: Proceedings of the 22nd International Conference on Distributed Computing Systems (ICDCS 2002), Washington, DC, USA, pp. 411–420. IEEE Computer Society, Los Alamitos (2002)
OAuth Core Workgroup: OAuth Core 1.0. Technical report (2007)
Anonymous: Understanding Windows Live delegated authentication. White paper, Microsoft Corporation (February 2008), http://msdn2.microsoft.com/en-us/library/cc287613.aspx
Yu, W.D.: An intelligent access control for web services based on service oriented architecture platform. In: Proceedings of the The Fourth IEEE Workshop on Software Technologies for Future Embedded and Ubiquitous Systems, and the Second International Workshop on Collaborative Computing, Integration, and Assurance (SEUS-WCCIA 2006), pp. 190–198. IEEE Computer Society, Los Alamitos (2006)
Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T.: A multipolicy authorization framework for grid security. In: Fifth IEEE International Symposium on Network Computing and Applications, pp. 269–272. IEEE Press, Los Alamitos (2006)
Damiani, E., Liu, P. (eds.): Data and Applications Security 2006. LNCS, vol. 4127. Springer, Heidelberg (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bussard, L., Di Nitto, E., Nano, A., Nano, O., Ripa, G. (2008). An Approach to Identity Management for Service Centric Systems. In: Mähönen, P., Pohl, K., Priol, T. (eds) Towards a Service-Based Internet. ServiceWave 2008. Lecture Notes in Computer Science, vol 5377. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89897-9_22
Download citation
DOI: https://doi.org/10.1007/978-3-540-89897-9_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89896-2
Online ISBN: 978-3-540-89897-9
eBook Packages: Computer ScienceComputer Science (R0)