Skip to main content
SpringerLink
Log in

EFSOC: A Layered Framework for Developing Secure Interactions between Web-Services

  • Published:
Distributed and Parallel Databases Aims and scope Submit manuscript

Abstract

Enterprises are rapidly extending their relatively stable and internally-oriented business processes and applications with loosely-coupled enterprise software services in order to support highly dynamic, cross-organizational business processes. These services are no longer solely based on internal enterprise systems, but often implemented, deployed and executed by diverse, external service providers. The ability to dynamically configure cross-organizational business processes with a mixture of internal and external services imposes new security requirements on existing security models.

In this paper, we address the problem of defining and enforcing access control rules for securing service invocations in the context of a business process. For this purpose, we amortize existing role-based access control models that allow for dynamic delegation and retraction of authorizations. Authorizations are assigned on an event-driven basis, implementing a push-based interaction protocol between services. This novel security model is entitled the Event-driven Framework for Service Oriented Computing (EFSOC). In addition, this article presents an experimental prototype that is explored using a realistic case study.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. M. Altheim, “XML Common Logic (XCL) 1.0,” Technical report, 2003. http://www.altheim.com/specs/xcl/1.0/.

  2. T. Andrews, F. Curbera, H. Dholakia, Y. Goland, J. Klein, F. Leymann, K. Liu, D. Roller, D. Smith, S. Thatte, I. Trickovic, and S. Weerawarana, “Business process execution language,” Technical report, BEA Systems and Internation Business Machines Corporation and Microsoft Corporation and SAP AG and Siebel Systems, 2003.

  3. A. Arkin, “Web Service Choreography Interface 1.0,” Technical report, BEA Systems, Intalio, SAP, Sun Microsystems, 2002. http://dev2dev.bea.com/techtrack/wsci.jsp (visited 2-7-2003).

  4. B. Atkinson, G. Della-Libera, S. Hada, M. Hondo, P. Hallam-Baker, J. Klein, B. LaMacchia, P. Leach, J. Manferdelli, H. Maruyama, A. Nadalin, N. Nagaratnam, H. Prafullchandra, J. Shewchuk, and D. Simon, “Web Services Security (WS-Security),” Technical report, Microsoft, IBM and Verisign, 2002.

  5. R. Botha, and J. Eloff, “Separation of Duties for Access Control Enforcement in Workow Environments,” IBM Systems Journal vol. 40, no. 3, pp. 666–682, 2001.

  6. D. Box, D. Ehnebuske, G. Kakivaya, A. Layman, N. Mendelsohn, H.F. Nielsen, S. Thatte, and D. Winer, “Simple Object Access Protocol (SOAP) 1.1,” W3C Note, W3C, 2000. http://www.w3.org/TR/SOAP/.

  7. E. Christensen, F. Curbera, G. Meredith, and S. Weerawarana, “Web Services Description Language (WSDL) 1.1,” W3C Note, W3C, 2001. http://www.w3.org/TR/2001/NOTE-wsdl-20010315.

  8. Common Logic, “The common logic standard,” Technical report. http://cl.tamu.edu/.

  9. G. Della-Libera, B. Dixon, P. Garg, S. Hada, P. Hallam-Baker, M. Hondo, C.K. (Ed.), H. Maruyama, A.N. (Ed.), N. Nagaratnam, A. Nash, R. Philpott, H. Prafullchandra, J. Shewchuk, D. Simon, E. Waingold, and R. Zolfonoon, “Web services secure conversation language (WS-SecureConversation),” Technical report, BEA Systems, Inc., Computer Associates International, Inc., International Business Machines Corporation, Layer 7 Technologies, Microsoft Corporation, Netegrity, Inc., Oblix Inc., OpenNetwork Technologies Inc., Ping Identity Corporation, Reactivity, Inc., RSA Security, Inc., Verisign Inc., and Westbridge Technology, Inc, 2002.

  10. Discretionary Access Control/“A guide To understanding discretionary access control In trusted systems,” Technical Report Library No. S-228,576, National Computer Security Center, 1987.

  11. S. Farell, I. Reid, H. Lockhart, D. Orchard, K. Sankar, C. Adams, T. Moses, N. Edwards, J. Pato, B. Blakley, M. Erdos, S. Cantor, R. B. Morgan, M. Chanliau, C. McLaren, C. Knouse, S. Godik, D. Platt, J. Moreh, J. Hodges, and P. Hallam-Baker, “Assertions and protocol for the OASIS security assertion markup language (SAML) V1.1,” Committee specification, OASIS. http://www.oasis-open.org/committees/documents.php?wgabbrev=security, 2003.

  12. D. Ferraiolo, J. Cugini, and R. Kuh, “Role-based access control: Features and motivations,” in Proceedings of the 11th Annual Computer Security Applications Conference, 1995.

  13. D. Ferraiolo and R. Kuhn, “Roled-based access control,” in Proceedings of the 15th NIST-NSA National Computer Security Conference, 1992.

  14. S. Godik and T. M. (editors), “eXtensible access control markup language (XACML),” OASIS Standard, OASIS, 2003.

  15. H.S. Thompson, D. Beech, M. M. and N. M. (editors), “XML Schema PART 1: Structures,” Technical report, W3C. http://www.w3.org/TR/xmlschema-1/, 2001.

  16. M. Jarke, R. Gallersdörfer, M. Jeusfeld, and M. Staudt, “Conceptbase—a deductive object base for meta data management,” Journal of Intelligent Information Systems, Special Issue on Advances in Deductive Object-Oriented Databases, vol. 4, no. 2, 1995, pp. 167–192.

  17. K. Leune, “Conceptual overview of the EFSOC event service,” Technical Report 16, Tilburg University, Infolab, 2004a.

  18. K. Leune, “EFSOC infrastructure services,” Technical report, Infolab, Tilburg University, The Netherlands. Available at http://www.uvt.nl/infolab/report-series/, 2004b.

  19. K. Leune, W.-J. van den Heuvel, and M. Papazoglou, “Exploring a multi-faceted framework for SOC: How to develop secure web-service interactions?,” in Proceedings of the 14th International Workshop on Research Issues on Data Engineering: Web Services for E-Commerce and E-Government applications, 2004, pp. 56–61.

  20. D. Luckham, The Power of Events. An Introduction to Complex Event Processing in Distributed Enterprise Systems. Addison-Wesley Press, 2002.

  21. M. Krause, H. T., Handbook of Information Security Management, No. ISBN 0849398290. Auerbach Publications, 4th edition, 1999.

  22. T. Morgan, Business Rules and Information Systems. Addison-Wesley. ISBN 0-201-74391-4, 2002.

  23. J. Mylopoulos, A. Borgida, and M. Koubarakis, “Telos: Representing knowledge about information systems,” ACM Transactions on Information Systems, vol. 8, no. 4, 1990.

  24. of D. Defense, “Trusted computer system evaluation criteria,” Technical Report Library No. S225,711, 1985.

  25. M. Papazoglou and G. Georgakapoulos, “Introduction to the special issue about service-oriented computing,” Communications of the ACM, vol. 46, no. 10, 2003, pp. 24–29.

  26. C. Pelz, “Web services orchestration: A review of emerging technologies, tools, and standards,” Technical report, HP, 2003.

  27. J. Saltzer and M. Schroeder, “The protection of information in computer systems,” Proceedings of the IEEE vol. 63, no. 9, 1975, pp. 1278–1308.

  28. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, “Role-based access control models,” IEEE Computer, 1996.

  29. UDDI, “Universal description, discovery, and integration (UDDI),” Technical report, uddi.org. http://www.uddi.org, 2000.

  30. M. Wahl, T. Howes, and S. Kille, “Lightweight directory access protocol (v3),” Technical Report RFC 2251, Critical Angle Inc., Netscape Communications Corp., Isode Limited. http://www.ietf.org/rfc/rfc2251.txt, 1997.

Download references

Author information

Authors and Affiliations

  1. Infolab, Tilburg University, The Netherlands

    Willem-Jan van den Heuvel, Kees Leune & Mike P. Papazoglou

Authors
  1. Willem-Jan van den Heuvel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kees Leune
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mike P. Papazoglou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Willem-Jan van den Heuvel.

Additional information

This work has been partially funded by the Netherlands Organization for Scientific Research (NWO) as part of the PRONIR project.

Recommended by: Asuman Dogac

Rights and permissions

Reprints and permissions

About this article

Cite this article

den Heuvel, WJ.v., Leune, K. & Papazoglou, M.P. EFSOC: A Layered Framework for Developing Secure Interactions between Web-Services. Distrib Parallel Databases 18, 115–145 (2005). https://doi.org/10.1007/s10619-005-1400-1

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10619-005-1400-1

Keywords

Search

Navigation