论文信息 - A metadata-based access control model for web services

A metadata-based access control model for web services

One of the most relevant advantages of Web Services (WS) is their simplicity of access on the Internet. However, this feature also makes them vulnerable to a series of security threats. Additionally, the application of WS to many interesting problems is currently hindered by the lack of mechanisms that provide, among others, adequate access control functionalities for this scenario. In fact, access control and authorization are critical because of the specific characteristics of WS. When considering the requirements of this scenario we must highlight not only flexibility of the access control system for dissimilar security policies, but also the control over a large number of elements and the distributed nature of these ones. Other important issues are dynamism of the WS environment, and interoperability of authorization mechanisms for the integration of multiple WS from various sources. The present work introduces an access control model for WS that addresses all previous issues. The model is built on the basis of separation of the authorization and access control management responsibilities. We introduce mechanisms for the semantic integration of an external Privilege Management Infrastructure (PMI) and present the Semantic Policy Language (SPL) for the description of access criteria based on attribute certificates.

Javier López | Antonio Maña | Mariemma Inmaculada Yagüe del Valle

[1] Whitfield Diffie,et al. New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2] José M. Troya,et al. Access Control Infrastructure for Digital Objects , 2002, ICICS.

[3] Christopher Allen,et al. The TLS Protocol Version 1.0 , 1999, RFC.

[4] William E. Johnston,et al. Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[5] David W. Chadwick. An X.509 Role Based Privilege Management Infrastructure , 2001 .

[6] Elisa Bertino,et al. Securing XML Documents with Author-X , 2001, IEEE Internet Comput..

[7] Ravi S. Sandhu,et al. Role-Based Access Control Models , 1996, Computer.

[8] Michiharu Kudo,et al. XML document security based on provisional authorization , 2000, CCS.

[9] Ravi S. Sandhu,et al. The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[10] Ernesto Damiani,et al. Securing SOAP e-services , 2002, International Journal of Information Security.

[11] Mark O'Neill,et al. Web Services Security , 2003 .

[12] Anura Gurugé,et al. Universal Description, Discovery, and Integration , 2004 .

[13] Sabrina De Capitani di Vimercati,et al. A fine-grained access control system for XML documents , 2002, TSEC.