Access control for the services oriented architecture

Federated Identity Management (FIdM) is being applied to Services Oriented Architecture (SOA) deployments that cross enterprise boundaries. Though federation is essential in order to address the distributed nature of SOA, these FIdM solutions have been found to be inflexible, unscalable, and difficult to use, manage, and upgrade. We contend that a major reason for these difficulties is that FIdM addresses the wrong aspect of the problem. Specifically, FIdM does not address the federation of access policies. What is needed is a system for Federated Access Management (FAccM). This paper demonstrates the benefits of FAccM over FIdM for SOA deployments and shows how FAccM can be implemented using the existing web services standards.

[1]  Ajantha Dahanayake,et al.  Service-Oriented Software System Engineering: Challenges and Practices , 2004 .

[2]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Matthew MacDonald,et al.  Programming .Net Web Services , 2002 .

[4]  P. G. Neumann,et al.  A general-purpose file system for secondary storage , 1965, Published in AFIPS '65 (Fall, part I).

[5]  Jonathan S. Shapiro,et al.  Paradigm Regained: Abstraction Mechanisms for Access Control , 2003, ASIAN.

[6]  Norman Hardy,et al.  KeyKOS architecture , 1985, OPSR.

[7]  Alan H. Karp,et al.  The Client Utility Architecture: The Precursor to E-speak , 2001 .

[8]  D. Box,et al.  Simple Object Access Protocol (SOAP) 1.1, W3C Note , 2000 .

[9]  Alan H. Karp Authorization-Based Access Control for the Services Oriented Architecture , 2006, Fourth International Conference on Creating, Connecting and Collaborating through Computing (C5'06).

[10]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[11]  Srilekha Mudumbai,et al.  Certificate-based authorization policy in a PKI environment , 2003, TSEC.

[12]  Clifford Stoll,et al.  The Cuckoo's Egg , 1989 .

[13]  Anura Gurugé,et al.  Universal Description, Discovery, and Integration , 2004 .

[14]  Mike P. Papazoglou,et al.  Introduction: Service-oriented computing , 2003, CACM.

[15]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[16]  Steve Vinoski,et al.  Advanced CORBA® Programming with C++ , 1999 .

[17]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[18]  Steve Vinoski,et al.  CORBA: integrating diverse applications within distributed heterogeneous environments , 1997, IEEE Commun. Mag..

[19]  John Hughes,et al.  Security Assertion Markup Language (SAML) 2.0 Technical Overview , 2004 .

[20]  James E. Donnelley A Distributed Capability Computing System (DCCS) , 1976, ICCC.

[21]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.