Enforcing ASTD Access-Control Policies with WS-BPEL Processes in SOA Environments

Controlling access to the Web services of public agencies and private corporations depends primarily on specifying and deploying functional security rules to satisfy strict regulations imposed by governments, particularly in the financial and health sectors. This paper focuses on one aspect of the SELKIS and EB3SEC projects related to the security of Web-based information systems, namely, the automatic transformation of security rules into WS-BPEL or BPEL, for short processes. The former are instantiated from security-rule patterns written in a graphical notation, called ASTD that is close to statecharts. The latter are executed by a BPEL engine integrated into a policy decision point, which is a component of a policy enforcement manager similar to that proposed in the XACML standard.

[1]  Wil M. P. van der Aalst,et al.  The Application of Petri Nets to Workflow Management , 1998, J. Circuits Syst. Comput..

[2]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[3]  Pierre F. Tiako,et al.  Software Applications: Concepts, Methodologies, Tools, and Applications , 2009 .

[4]  David A. Basin,et al.  Dynamic Enforcement of Abstract Separation of Duty Constraints , 2009, ESORICS.

[5]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[6]  Elisa Bertino,et al.  Access Control and Authorization Constraints for WS-BPEL , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[7]  Wolfgang Reisig,et al.  An Operating Guideline Approach to the SOA , 2005 .

[8]  Marc Frappier,et al.  Extending statecharts with process algebra operators , 2008, Innovations in Systems and Software Engineering.

[9]  Thai Son Hoang,et al.  Rodin: an open toolset for modelling and reasoning in Event-B , 2010, International Journal on Software Tools for Technology Transfer.

[10]  Marc Frappier,et al.  Modélisation de politiques de sécurité à l'aide d'une algèbre de processus. Présentation de la méthode EB3SEC , 2009, Ingénierie des Systèmes d Inf..

[11]  Marija Kolundzija Security Types for Sessions and Pipelines , 2008, WS-FM.

[12]  Karsten Sohr,et al.  Enforcing Role-Based Access Control Policies in Web Services with UML and OCL , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[13]  Yamine Ait-Ameur,et al.  Stepwise Design of BPEL Web Services Compositions: An Event_B Refinement Based Approach , 2010 .

[14]  Kamel Adi,et al.  Secrecy UML Method for Model Transformations , 2010, ASM.

[15]  Marc Frappier,et al.  Systematic Translation Rules from astd to Event-B , 2010, IFM.

[16]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[17]  Tommaso Bolognesi,et al.  Tableau methods to describe strong bisimilarity on LOTOS processes involving pure interleaving and enabling , 1994, FORTE.

[18]  Régine Laleau,et al.  Model-driven Engineering of Functional Security Policies , 2010, ICEIS.

[19]  Jeremy Gibbons,et al.  A Process-Algebraic Approach to Workflow Specification and Refinement , 2007, SC@ETAPS.

[20]  Francisco Curbera,et al.  Web Services Business Process Execution Language Version 2.0 , 2007 .

[21]  Ninghui Li,et al.  Beyond separation of duty: an algebra for specifying high-level security policies , 2006, CCS '06.

[22]  Du Zhang,et al.  Machine Learning and Value-Based Software Engineering , 2009, Int. J. Softw. Sci. Comput. Intell..

[23]  Marc Frappier,et al.  Expressing Access Control Policies with an Event-Based Approach , 2011, CAiSE Workshops.

[24]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[25]  Roberto Bruni,et al.  Sessions and Pipelines for Structured Service Programming , 2008, FMOODS.

[26]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[27]  John Wang,et al.  A Comparison and Scenario Analysis of Leading Data Mining Software , 2008, Int. J. Knowl. Manag..