Skip to main content
SpringerLink
Log in

Ws-AC: A Fine Grained Access Control System for Web Services

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

The emerging Web service technology has enabled the development of Internet-based applications that integrate distributed and heterogeneous systems and processes which are owned by different organizations. However, while Web services are rapidly becoming a fundamental paradigm for the development of complex Web applications, several security issues still need to be addressed. Among the various open issues concerning security, an important issue is represented by the development of suitable access control models, able to restrict access to Web services to authorized users. In this paper we present an innovative access control model for Web services. The model is characterized by a number of key features, including identity attributes and service negotiation capabilities. We formally define the protocol for carrying on negotiations, by specifying the types of message to be exchanged and their contents, based on which requestor and provider can reach an agreement about security requirements and services. We also discuss the architecture of the prototype we are currently implementing. As part of the architecture we propose a mechanism for mapping our policies onto the WS-Policy standard which provides a standardized grammar for expressing Web services policies.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. B. Atkinson et al., Web services security (ws-security), April 2002.

  2. E. Bertino, A. C. Squicciarini, and D. Mevi, “A fine-grained access control model for Web services,” in IEEE International Conference on Services Computing (SCC 2004), Shanghai, Sept. 2004.

  3. D. Box et al., Simple Object Access Protocol (SOAP) 1.1, Technical Report W3C, 2000.

  4. The Enterprise Privacy Authorization Language (EPAL 1.1)., http://www.zurich.ibm.com/security/enterprise-privacy/epal/

  5. Liberty Alliance Project, http://www.projectliberty.org/

  6. Advancing SAML, an XML-based security standard for exchanging authnetication and authorization information. http://www.oasis-open.org/committees/security.

  7. Web Service Policy Framework (Ws-Policy), September 2004. http://www.106.ibm.com/developerworks/library/specification/ws-polfram/

  8. IBM, Microsoft, RSA, VeriSign. web services Trust Language (WS-Trust). Version 1.0. December 18, 2002., http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-trust.asp.

  9. IBM, Microsoft, RSA, VeriSign. web services Security Policy Language (WS-SecurityPolicy). Version 1.0. December 18, 2002. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-securitypolicy.asp.

  10. IBM and Microsoft. Security in a web services World: A Proposed Architecture and Roadmap. April 2002. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnwssecur/html/securitywhitepaper.asp

  11. Security in a web services World: A Proposed Architecture and Roadmap. http://www-106.ibm.com/developerworks/webservices/library/ws-secmap/

  12. WS-Authorization. http://xml.coverpages.org/ni2002-04-11-b.html

  13. Web Services Reliable Messaging Protocol (WS-ReliableMessaging). March 2004. http://msdn.microsoft.com/ws/2004/03/ws-reliablemessaging/

  14. IBM, Microsoft, RSA, VeriSign. web services Federation Language (WS-Federation). Version 1.0. July 8 2003. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-federation.asp.

  15. IBM, Microsoft, RSA, VeriSign. web services Secure Conversation Language (WS-SecureConversation). Version 1.0. December 18, 2002. http://msdn.microsoft.com/webservices/?pull=/library/en-us/dnglobspec/html/ws-secureconversation.asp

  16. OASIS eXtensible Access Control Markup Language 2 (XACML) Version 2.0. Committee draft 02, 30 Sep 2004 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-core-spec-cd-02.pdf

Download references

Author information

Authors and Affiliations

  1. Computer Sciences Department and CERIAS, Purdue University, West Lafayette

    Elisa Bertino

  2. Dipartimento di Informatica e Comunicazione, Universita' degli Studi di Milano, Milano

    Anna C. Squicciarini, Ivan Paloscia & Lorenzo Martino

Authors
  1. Elisa Bertino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anna C. Squicciarini
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ivan Paloscia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lorenzo Martino
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elisa Bertino.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bertino, E., Squicciarini, A.C., Paloscia, I. et al. Ws-AC: A Fine Grained Access Control System for Web Services. World Wide Web 9, 143–171 (2006). https://doi.org/10.1007/s11280-005-3045-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-005-3045-4

Keywords

Search

Navigation