Access Control in Dynamic XML-Based Web-Services with X-RBAC

Policy specification for securing Web services is fast emerging as a key research area due to rapid proliferation of Web services in modern day enterprise applications. Whilst the use of XML technology to support these Web services has resulted in their tremendous growth, it has also introduced a new set of security challenges specific to these Web services. Though there has been recent research in areas of XML-based document security, these challenges have not been addressed within the XML framework. In this paper, we present X-RBAC, an XML-based RBAC policy specification framework for enforcing access control in dynamic XML-based Web services. An X-RBAC system has been implemented as a Java application, and is based on a specification language that addresses specific security requirements of these Web services. We discuss the salient features of the specification language, and present the software architecture of our X-RBAC system.

[1]  Elisa Bertino,et al.  Controlled access and dissemination of XML documents , 1999, WIDM '99.

[2]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[3]  Daniel Roth,et al.  Web Services Policy Framework (WS- Policy) , 2002 .

[4]  Satoshi Hada,et al.  XML Access Control Language : Provisional Authorization for XML Documents , 2000 .

[5]  Elisa Bertino,et al.  Generalized Temporal Role Based Access Control Model (GTRBAC) Part I Specification and Modeling , 2001 .

[6]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[7]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[8]  Elisa Bertino,et al.  On specifying security policies for web documents with an XML-based language , 2001, SACMAT '01.

[9]  Walid G. Aref,et al.  Security models for web-based applications , 2001, CACM.

[10]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[11]  D. Richard Kuhn,et al.  A role-based access control model and reference implementation within a corporate intranet , 1999, TSEC.

[12]  Serban I. Gavrila,et al.  Formal specification for role based access control user/role and role/role relationship management , 1998, RBAC '98.

[13]  Geoffrey Smith,et al.  Managing security policies in a distributed environment using eXtensible markup language (XML) , 2001, SAC.

[14]  David F. Ferraiolo,et al.  An Examination of Federal and Commercial Access Control Policy Needs , 1993 .

[15]  Ravi S. Sandhu,et al.  Configuring role-based access control to enforce mandatory and discretionary access control policies , 2000, TSEC.

[16]  Sabrina De Capitani di Vimercati,et al.  A fine-grained access control system for XML documents , 2002, TSEC.

[17]  Elisa Bertino,et al.  Securing XML Documents with Author-X , 2001, IEEE Internet Comput..