Abstract
The emerging Web service technology has enabled the development of Internet-based applications that integrate distributed and heterogeneous systems and processes which are owned by different organizations. However, while Web services are rapidly becoming a fundamental paradigm for the development of complex Web applications, several security issues still need to be addressed. Among the various open issues concerning security, an important issue is represented by the development of suitable access control models, able to restrict access to Web services to authorized users. In this paper we present an innovative access control model for Web services. The model is characterized by a number of key features, including identity attributes and service negotiation capabilities. We formally define the protocol for carrying on negotiations, by specifying the types of message to be exchanged and their contents, based on which requestor and provider can reach an agreement about security requirements and services. We also discuss the architecture of the prototype we are currently implementing. As part of the architecture we propose a mechanism for mapping our policies onto the WS-Policy standard which provides a standardized grammar for expressing Web services policies.
Similar content being viewed by others
References
B. Atkinson et al., Web services security (ws-security), April 2002.
E. Bertino, A. C. Squicciarini, and D. Mevi, “A fine-grained access control model for Web services,” in IEEE International Conference on Services Computing (SCC 2004), Shanghai, Sept. 2004.
D. Box et al., Simple Object Access Protocol (SOAP) 1.1, Technical Report W3C, 2000.
The Enterprise Privacy Authorization Language (EPAL 1.1)., http://www.zurich.ibm.com/security/enterprise-privacy/epal/
Liberty Alliance Project, http://www.projectliberty.org/
Advancing SAML, an XML-based security standard for exchanging authnetication and authorization information. http://www.oasis-open.org/committees/security.
Web Service Policy Framework (Ws-Policy), September 2004. http://www.106.ibm.com/developerworks/library/specification/ws-polfram/
IBM, Microsoft, RSA, VeriSign. web services Trust Language (WS-Trust). Version 1.0. December 18, 2002., http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-trust.asp.
IBM, Microsoft, RSA, VeriSign. web services Security Policy Language (WS-SecurityPolicy). Version 1.0. December 18, 2002. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-securitypolicy.asp.
IBM and Microsoft. Security in a web services World: A Proposed Architecture and Roadmap. April 2002. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnwssecur/html/securitywhitepaper.asp
Security in a web services World: A Proposed Architecture and Roadmap. http://www-106.ibm.com/developerworks/webservices/library/ws-secmap/
WS-Authorization. http://xml.coverpages.org/ni2002-04-11-b.html
Web Services Reliable Messaging Protocol (WS-ReliableMessaging). March 2004. http://msdn.microsoft.com/ws/2004/03/ws-reliablemessaging/
IBM, Microsoft, RSA, VeriSign. web services Federation Language (WS-Federation). Version 1.0. July 8 2003. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-federation.asp.
IBM, Microsoft, RSA, VeriSign. web services Secure Conversation Language (WS-SecureConversation). Version 1.0. December 18, 2002. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-secureconversation.asp
OASIS eXtensible Access Control Markup Language 2 (XACML) Version 2.0. Committee draft 02, 30 Sep 2004 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-core-spec-cd-02.pdf
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bertino, E., Squicciarini, A.C., Paloscia, I. et al. Ws-AC: A Fine Grained Access Control System for Web Services. World Wide Web 9, 143–171 (2006). https://doi.org/10.1007/s11280-005-3045-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11280-005-3045-4