An extended XACML model to ensure secure information access for web services

More and more software systems based on web services have been developed. Web service development techniques are thus becoming crucial. To ensure secure information access, access control should be taken into consideration when developing web services. This paper proposes an extended XACML model named EXACML to ensure secure information access for web services. It is based on the technique of information flow control. Primary features offered by the model are: (1) both the information of requesters and that of web services are protected, (2) the access control of web services is more precise than just ''allow or reject'' policy in existing models, and (3) the model will deny non-secure information access during the execution of a web service even when a requester is allowed to invoke the web service.

[1]  Elisa Bertino,et al.  TRBAC , 2001, ACM Trans. Inf. Syst. Secur..

[2]  Marianne Winslett,et al.  Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation , 2003, TSEC.

[3]  Mudhakar Srivatsa,et al.  An Access Control System for Web Service Compositions , 2007, IEEE International Conference on Web Services (ICWS 2007).

[4]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[5]  Abdelaziz Fellah,et al.  Adding Flexibility in Information Flow Control for Object-Oriented Systems Using Versions , 2003, Int. J. Softw. Eng. Knowl. Eng..

[6]  Ernesto Damiani,et al.  A Web Service Architecture for Enforcing Access Control Policies , 2004, VODCA@FOSAD.

[7]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[8]  Shih-Chien Chou,et al.  Embedding role-based access control model in object-oriented systems to protect privacy , 2004, J. Syst. Softw..

[9]  Fabio Massacci,et al.  Interactive Credential Negotiation for Stateful Business Processes , 2005, iTrust.

[10]  Shih-Chien Chou,et al.  Managing role relationships in an information flow control model , 2006, J. Syst. Softw..

[11]  Elisa Bertino,et al.  An Adaptive Access Control Model for Web Services , 2006, Int. J. Web Serv. Res..

[12]  Fabio Casati,et al.  Trust-serv: model-driven lifecycle management of trust negotiation policies for web services , 2004, WWW '04.

[13]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[14]  Ke Wang,et al.  An access control language for web services , 2002, SACMAT '02.

[15]  Zahir Tari,et al.  A role based access control for Web services , 2004, IEEE International Conference onServices Computing, 2004. (SCC 2004). Proceedings. 2004.

[16]  Elisa Bertino,et al.  Information Flow Control in Object-Oriented Systems , 1997, IEEE Trans. Knowl. Data Eng..

[17]  Nicholas R. Jennings,et al.  Protocol engineering for web services conversations , 2005, Eng. Appl. Artif. Intell..

[18]  Elisa Bertino,et al.  X-GTRBAC: an XML-based policy specification framework and architecture for enterprise-wide access control , 2005, TSEC.

[19]  Elisa Bertino,et al.  A trust-based context-aware access control model for Web-services , 2004 .

[20]  Hong Fan,et al.  An Attribute-Based Access Control Model for Web Services , 2006, 2006 Seventh International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT'06).

[21]  Elisa Bertino,et al.  Access control enforcement for conversation-based web services , 2006, WWW '06.

[22]  Fabio Massacci,et al.  An access control framework for business processes for web services , 2003, XMLSEC '03.

[23]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[24]  Marianne Winslett,et al.  Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation , 2001, NDSS.