Fine grained access control for SOAP E-services

Lightweight protocols for remote service invocation via HTTP and XML, such as SOAP, are rapidly gaining acceptance among developers of Internet-based e-services, especially because of their rewall-traversal capabilities. However, no standard technique for access control security is currently de ned for either HTTP or SOAP itself. Concerns have been raised about the possibility that di erent SOAP applications will deal with embedded security in different ways, leading to application-dependent security holes. In this paper, we propose an approach that relies on the XML structure of SOAP requests to support ne-grained authorizations at the level of individual XML elements and attributes that compose a SOAP call. The result is a simple, yet powerful and general, technique to enforce access restrictions to SOAP invocations.

[1]  Pekka Nikander,et al.  A Java Beans Component Architecture for Cryptographic Protocols , 1998, USENIX Security Symposium.

[2]  Juha Paajarvi XML Encoding of SPKI Certificates , 2000 .

[3]  Nicholas Bohm,et al.  Digital Signatures, Certificates and Electronic Commerce , 1999 .

[4]  Stuart I. Feldman The Changing Face of E-Commerce: Extending the Boundaries of the Possible (E-Business) , 2000, IEEE Internet Comput..

[5]  E. James Whitehead,et al.  World Wide Web distributed authoring and versioning (WebDAV): an introduction , 1997, STAN.

[6]  Pierangela Samarati,et al.  Regulating service access and information release on the Web , 2000, CCS.

[7]  Ueli Maurer,et al.  Modelling a Public-Key Infrastructure , 1996, ESORICS.

[8]  Sabrina De Capitani di Vimercati,et al.  XML access control systems: a component-based approach , 2002, Informatica.

[9]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[10]  Ernesto Damiani,et al.  Securing XML Documents , 2000, EDBT.

[11]  Charlie Kindel,et al.  Distributed Component Object Model Protocol -- DCOM/1.0 , 1998 .

[12]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[13]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[14]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[15]  David Burdett Internet Open Trading Protocol - IOTP Version 1.0 , 2000, RFC.

[16]  D. Burdette,et al.  Internet Open Trading Protocol , 2000 .

[17]  José Kahan WDAI: A Simple World Wide Web Distributed Authorization Infrastructure , 1999, Comput. Networks.

[18]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.