Martin Karusseit
ABSTRACT
Web-based access to sensitive and confidential data is realized today via different approaches, using a variety of methods to specify and combine access control policies. In an optic of change management and evolution, a structured and flexible model is needed to handle dynamicity, particularly when handling rights in systems with many users which hold different roles. Furthermore the validation of security constraints is an important key to warrant the reliability of control mechanisms.
This paper compares the temporal logic-based approach for modeling access control used by the jABC framework with two popular XML-based description languages (XACML and WS-Policy), which are quasi-standards for policy expression in Web applications. Its usage is illustrated here on the example of the web-based Online Conference Service (OCS). The respective functionalities are described and examined in consideration of their ability to validate and enforce the needed policies.
- T. Moses (Ed.): eXtensible Access Control Markup Language (XACML) Version 2.0, Feb. 2005 http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os. pdf,Google Scholar
- P. Griffin: Introduction to XACML, February 2004 http://dev2dev.bea.com/pub/a/2004/02/xacml.htmlGoogle Scholar
- B. Siddharth et al.: Web Services Policy 1.2 - Framework (WS-Policy), April 2006, http://www.w3.org/Submission/2006/SUBM-WS-Policy-20060425/Google Scholar
- E. A. Emerson, C. S. Jutla, A. P. Sistla. On model-checking for fragments of μ-calculus. 1993.Google Scholar
- G. Hughes, T. Bultan: Automated Verification of XACML Policies Using a SAT Solver. WQVV 2007, Worksh. on Web Quality, Verification and Validation, at 7th ICWE, Como (I), July 2007, Worksh. Proc. pp. 378--392.Google Scholar
- M. Karusseit, T. Margaria: A Web-based Runtime-Reconfigurable Role Management Service Proc. WWV '06, 2nd Int. Worksh. on Automated Specification and Verification of Web Sites, Cyprus, 2006, IEEE Press, pp.53--60. Google ScholarDigital Library
- M. Karusseit, T. Margaria: Feature-based Modelling of a Complex, Online-Reconfigurable Decision Support Service Proc. WWV '05, 1st Int. Worksh. on Automated Specification and Verification of Web Sites, Valencia (E), March 2005, ENTCS N. 1132.Google Scholar
- T. Margaria, M. Karusseit: Community Usage of the Online Conference Service: an Experience Report from three CS Conferences, 2nd IFIP Conf. on "e-commerce, e-business, e-government" (I3E 2002), Lisboa (P), Oct. 2002, Kluwer, pp.497--511. Google ScholarDigital Library
- jABC: JavaABC Framework http://www.jABC.deGoogle Scholar
- B. Steffen, T. Margaria, R. Nagel, S. Jörges, C. Kubczak: Model-Driven Development with the jABC, Proc. HVC '06, IBM Haifa Verification Conf., Haifa (IL), LNCS 4383, Springer Verlag, 2006. Google ScholarDigital Library
- T. Margaria, B. Steffen: Service Engineering: Linking Business and IT, Computer, IEEE Computer Society, October 2006, pp.45--55 Google ScholarDigital Library
- B. Steffen, P. Narayan: Full Life-Cycle Support for End-to-End Processes, Computer, IEEE Computer Society, November 2007, pp.64--73 Google ScholarDigital Library
- S. Jörges, T. Margaria, B. Steffen: FormulaBuilder: A Tool for Graph-based Modelling and Generation of Formulae, ICSE 2006, Shanghai, China, ACM Press, pp. 815--818. Google ScholarDigital Library
- OASIS http://www.oasis-open.org/home/index.phpGoogle Scholar
- Della-Libera et al.: Web Services Security Policy Language (WS-SecurityPolicy) Version 1.1, July 2005 http://specs.xmlsoap.org/ws/2005/07/securitypolicy/ws-securitypolicy.pdfGoogle Scholar
- D. Box et al.: Web Services Policy Assertions Language (WS-PolicyAssertions) Version 1.1, May 2003 http://xml.coverpages.org/ws-policyassertionsV11.pdfGoogle Scholar
- K. Ballinger et al.: Web Services Metadata Exchange (WS-MetadataExchange) Version 1.1 August 2006 http://specs.xmlsoap.org/ws/2004/09/mex/WS-MetadataExchange.pdf,Google Scholar
- M. Bakera, T. Margaria, C. Renner, B. Steffen: Game-based Model Checking for Reliable Autonomy, SMC-IT '06, 2nd IEEE Int. Conf. on Space Mission Challenges for Information Technology, Workshop on Autonomous and Autonomic Systems, July 2006.Google Scholar
Index Terms
- Policy expression and checking in XACML, WS-Policies, and the jABC
Recommendations
Policy expressions and the bottom-up design of computing policies
AbstractA policy is a sequence of rules, where each rule consists of a predicate and a decision, and where each decision is either “accept” or “reject”. A policy P is said to accept (or reject, respectively) a request iff the decision of the first rule in ...
XACBench: a XACML policy benchmark
AbstractXACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy ...
Designing Fast and Scalable XACML Policy Evaluation Engines
Most prior research on policies has focused on correctness. While correctness is an important issue, the adoption of policy-based computing may be limited if the resulting systems are not implemented efficiently and thus perform poorly. To increase the ...
Comments