Expressive and Deployable Access Control in Open Web Service Applications

Traditional access control solutions, based on preliminary identification and authentication of the access requester, are not adequate for the context of open web service systems, where servers generally do not have prior knowledge of the requesters. The research community has acknowledged such a paradigm shift and several investigations have been carried out for new approaches to regulate access control in open dynamic settings. Typically based on logic, such approaches, while appealing for their expressiveness, result not applicable in practice, where simplicity, efficiency, and consistency with consolidated technology are crucial. The eXtensible Access Control Markup Language (XACML) has established itself as the emerging technological solution for controlling access in an interoperable and flexible way. Although supporting the most common policy representation mechanisms and having acquired a significant spread in the research community and the industry, XACML still suffers from some limitations which impact its ability to support actual requirements of open web-based systems. In this paper, we provide a simple and effective formalization of novel concepts that have to be supported for enforcing the new access control paradigm needed in open scenarios, toward the aim of providing an expressive solution actually deployable with today's technology. We illustrate how the concepts of our model can be deployed in the XACML standard by exploiting its extension points for the definition of new functions, and introducing a dialog management framework to enable access control interactions between web service clients and servers.

[1]  Piero A. Bonatti,et al.  Driving and monitoring provisional trust negotiation with metapolicies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[2]  Pierangela Samarati,et al.  Exploiting cryptography for privacy-enhanced access control: A result of the PRIME Project , 2010, J. Comput. Secur..

[3]  Makoto Murata,et al.  XML access control using static analysis , 2006, TSEC.

[4]  Marianne Winslett,et al.  Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation , 2001, NDSS.

[5]  Ting Yu,et al.  Preventing attribute information leakage in automated trust negotiation , 2005, CCS '05.

[6]  Stefanos Gritzalis,et al.  Design and Implementation of Distributed Access Control Infrastructures for Federations of Autonomous Domains , 2007, TrustBus.

[7]  Anne H. Anderson,et al.  A comparison of two privacy policy languages: EPAL and XACML , 2006, SWS '06.

[8]  Sabrina De Capitani di Vimercati,et al.  A privacy-aware access control system , 2008, J. Comput. Secur..

[9]  Karen A. Scarfone,et al.  Guide to Secure Web Services , 2007 .

[10]  David W. Chadwick,et al.  Privacy preserving trust authorization framework using XACML , 2006, 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks(WoWMoM'06).

[11]  Marianne Winslett,et al.  Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation , 2003, TSEC.

[12]  Dickson K. W. Chiu,et al.  Enabling Web Services Policy Negotiation with Privacy preserved using XACML , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[13]  Michael N. Huhns,et al.  Securing Enterprise Applications: Service-Oriented Security (SOS) , 2008, 2008 10th IEEE Conference on E-Commerce Technology and the Fifth IEEE Conference on Enterprise Computing, E-Commerce and E-Services.

[14]  Hal Lockhart,et al.  Web Services Profile of XACML (WS-XACML) Version 1.0 , 2007 .

[15]  David W. Chadwick,et al.  Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains , 2006, Communications and Multimedia Security.

[16]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[17]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[18]  Pierangela Samarati,et al.  A Uniform Framework for Regulating Service Access and Information Release on the Web , 2002, J. Comput. Secur..

[19]  Nora Cuppens-Boulahia,et al.  XeNA: an access negotiation framework using XACML , 2009, Ann. des Télécommunications.

[20]  Ernesto Damiani,et al.  Controlling Access to XML Documents , 2001, IEEE Internet Comput..

[21]  Scott Boag,et al.  XQuery 1.0 : An XML Query Language , 2007 .

[22]  Marianne Winslett,et al.  Assuring security and privacy for digital library transactions on the Web: client and server security policies , 1997, Proceedings of ADL '97 Forum on Research and Technology. Advances in Digital Libraries.

[23]  Mark O'Neill,et al.  Web Services Security , 2003 .

[24]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[25]  Mario Piattini,et al.  A Survey of Web Services Security , 2004, ICCSA.

[26]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[27]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.