Web services access control architecture incorporating trust

Purpose – This paper seeks to investigate how the concept of a trust level is used in the access control policy of a web services provider in conjunction with the attributes of users.Design/methodology/approach – A literature review is presented to provide background to the progressive role that trust plays in access control architectures. The web services access control architecture is defined.Findings – The architecture of an access control service of a web service provider consists of three components, namely an authorisation interface, an authorisation manager, and a trust manager. Access control and trust policies are selectively published according to the trust levels of web services requestors. A prototype highlights the incorporation of a trust level in the access control policy as a viable solution to the problem of web services access control, where decisions of an autonomous nature need to be made, based on information and evidence.Research limitations/implications – The WSACT architecture addr...

[1]  Miao Liu,et al.  An attribute and role based access control model for Web services , 2005, 2005 International Conference on Machine Learning and Cybernetics.

[2]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[3]  Elisa Bertino,et al.  A fine-grained access control model for Web services , 2004, IEEE International Conference onServices Computing, 2004. (SCC 2004). Proceedings. 2004.

[4]  Kent E. Seamons,et al.  Advanced Client/Server Authentication in TLS , 2002, NDSS.

[5]  Javier López,et al.  A metadata-based access control model for web services , 2005, Internet Res..

[6]  Mohammed Yakoob Siyal,et al.  A novel Trust Service Provider for Internet based commerce applications , 2002, Internet Res..

[7]  Joachim Biskup,et al.  Towards a credential-based implementation of compound access control policies , 2004, SACMAT '04.

[8]  Sun Meifeng,et al.  KeyNote Trust Management System , 2002 .

[9]  Mark O'Neill,et al.  Web Services Security , 2003 .

[10]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[11]  Kai Rannenberg,et al.  Security and Privacy in Dynamic Environments , 2006 .

[12]  Zahir Tari,et al.  A role based access control for Web services , 2004, IEEE International Conference onServices Computing, 2004. (SCC 2004). Proceedings. 2004.

[13]  Roch Guérin,et al.  A Framework for Policy-based Admission Control , 2000, RFC.

[14]  Jan H. P. Eloff,et al.  Autonomous trust for web services , 2005, Internet Res..

[15]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[16]  Fabio Massacci,et al.  An access control framework for business processes for web services , 2003, XMLSEC '03.

[17]  Jan H. P. Eloff,et al.  Towards Web Service access control , 2004, Comput. Secur..

[18]  Fan Hong,et al.  An Attribute-Based Access Control Model for Web Services , 2006, PDCAT.

[19]  James Snell,et al.  Introduction to Web services architecture , 2002, IBM Syst. J..

[20]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[21]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[22]  Marianne Winslett An Introduction to Trust Negotiation , 2003, iTrust.

[23]  Jan H. P. Eloff,et al.  A Framework for Web Services Trust , 2006, SEC.

[24]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[25]  Jean Bacon,et al.  Toward open, secure, widely distributed services , 2002, CACM.

[26]  Ernesto Damiani,et al.  Fine grained access control for SOAP E-services , 2001, WWW '01.

[27]  Marianne Winslett,et al.  Trust Negotiation as an Authorization Service forWeb Services , 2006, 22nd International Conference on Data Engineering Workshops (ICDEW'06).