An Access Control System for Web Service Compositions

Service composition has emerged as a fundamental technique for developing Web applications. Multiple services, often from different organizations or trust domains, may be dynamically composed to satisfy a user's request. Access control in the presence of service compositions is a challenging security problem. In this paper, we present an access control model and techniques for specifying and enforcing access control rules on Web service compositions. A key advantage of our approach is that past histories of service invocations can be used to make access control decisions. Our approach allows role hierarchies and separation of duty constraints. Access controls rules may be parameterized by one or more arguments. We have implemented our access control model via a declarative policy specification language which uses pure-past linear temporal logic (PPLTL). We describe an implementation of our approach using a supply chain management (SCM) application. Our experiments show that our approach can enforce expressive and flexible access control policies while incurring reasonable performance overhead on the application.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[3]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[4]  Donald F. Ferguson,et al.  Toward a Programming Model for Service-Oriented Computing , 2005, ICSOC.

[5]  Scott Anderson,et al.  Supply Chain Management Use Case Model , 2003 .

[6]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[7]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[8]  Grigore Rosu,et al.  Synthesizing Monitors for Safety Properties , 2002, TACAS.

[9]  Pierluigi Plebani,et al.  Supporting policy-driven behaviors in web services: experiences and issues , 2004, ICSOC '04.

[10]  Vladimiro Sassone,et al.  A framework for concrete reputation-systems with applications to history-based access control , 2005, CCS '05.

[11]  Ke Wang,et al.  An access control language for web services , 2002, SACMAT '02.

[12]  Hussein Zedan,et al.  Augmenting semantic web service descriptions with compositional specification , 2004, WWW '04.

[13]  Barbara Carminati,et al.  Security Conscious Web Service Composition , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[14]  Jean Bacon,et al.  Access control in an open distributed environment , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[15]  James A. Hendler,et al.  Automating DAML-S Web Services Composition Using SHOP2 , 2003, SEMWEB.

[16]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[17]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[18]  Elisa Bertino,et al.  Access control enforcement for conversation-based web services , 2006, WWW '06.