skip to main content
research-article

ACConv -- An Access Control Model for Conversational Web Services

Published:01 July 2011Publication History
Skip Abstract Section

Abstract

With organizations increasingly depending on Web services to build complex applications, security and privacy concerns including the protection of access control policies are becoming a serious issue. Ideally, service providers would like to make sure that clients have knowledge of only portions of the access control policy relevant to their interactions to the extent to which they are entrusted by the Web service and without restricting the client’s choices in terms of which operations to execute. We propose ACConv, a novel model for access control in Web services that is suitable when interactions between the client and the Web service are conversational and long-running. The conversation-based access control model proposed in this article allows service providers to limit how much knowledge clients have about the credentials specified in their access policies. This is achieved while reducing the number of times credentials are asked from clients and minimizing the risk that clients drop out of a conversation with the Web service before reaching a final state due to the lack of necessary credentials. Clients are requested to provide credentials, and hence are entrusted with part of the Web service access control policies, only for some specific granted conversations which are decided based on: (1) a level of trust that the Web service provider has vis-à-vis the client, (2) the operation that the client is about to invoke, and (3) meaningful conversations which represent conversations that lead to a final state from the current one. We have implemented the proposed approach in a software prototype and conducted extensive experiments to show its effectiveness.

References

  1. Agarwal, S., Sprick, B., and Wortmann, S. 2004. Credential based access control for semantic web services. In Proceedings of Semantic Web Services. AAAI. http://www.daml.ecs.soton.ac.uk/SSS-SWS04/Papers.html.Google ScholarGoogle Scholar
  2. Anderson, A. 2007. Web services profile of XACML (WS-XACML), version 1.0, OASIS standard specification. http://www.oasis-open.org/committees/download.php/24951/xacml-3.0-profile-webservices-spec-v1-wd-10-en.pdf.Google ScholarGoogle Scholar
  3. Ankolekar, A. 2002. DAML-S: Web service description for the semantic web. In Proceedings of the International Semantic Web Conference (ISWC). Lecture Notes in Computer Science. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Benatallah, B., Casati, F., Toumani, F., and Hamadi, R. 2003. Conceptual modeling of Web service conversations. In Proceedings of the 15th International Conference on Advanced Information Systems Engineering (CAiSE). Lecture Notes in Computer Science, vol. 2681. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Berardi, D., Calvanese, D., De Giacomo, G., Lenzerini, M., and Mecella, M. 2005. Automatic service composition based on behavioral descriptions. Int. J. Coop. Inf. Syst. 14, 4, 333--376.Google ScholarGoogle ScholarCross RefCross Ref
  6. Bertino, E., Squicciarini, A. C., Martino, L., and Paci, F. 2006. An adaptive access control model for Web services. Int. J. Web Serv. Res. 3, 3, 27--60.Google ScholarGoogle ScholarCross RefCross Ref
  7. Bhatti, R., Bertino, E., and Ghafoor, A. 2004. A trust-based context-aware access control model for Web-services. In Proceedings of the IEEE International Conference on Web Services (ICWS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Clarke, D. E., Elien, J., Ellison, C. M., Fredette, M., Morcos, A., and Rivest, R. L. 2001. Certificate chain discovery in SPKI/SDSI. J. Comput. Secur. 9, 285--322. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Denker, G., Kagal, L., Finin, T., Paolucci, M., and Sycara, K. 2003. Security for DAML Web services: Annotation and matchmaking. In Proceedings of the 2nd International Semantic Web Conference (ISWC). Lecture Notes in Computer Science, vol. 2870. Springer.Google ScholarGoogle Scholar
  10. Emig, C., Abeck, S., Biermann, J., Brandt, F., and Klarl, H. 2007. An access control metamodel for Web service-oriented architecture. In Proceedings of the 2nd International Conference on Systems and Networks Communications (CSNC). Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Frikken, B., Li, J., and Atallah, M. J. 2006. Trust negotiation with hidden credentials, hidden policies and policies cycles. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS).Google ScholarGoogle Scholar
  12. Globus. 2011. Globus toolkit. http://www.globus.org/toolkit/.Google ScholarGoogle Scholar
  13. Gonnet, G. H. and Baeza-Yates, R. 1991. HandBook of Algorithms and Data Structures. Addison-Wesley. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Internet2. 2006. OpenSAML - an open source security assertion language toolkit. http://www.opensaml.org.Google ScholarGoogle Scholar
  15. Kagal, L. 2002. Rei: A policy specification language. http://rei.umbc.edu/.Google ScholarGoogle Scholar
  16. Kagal, L., Paolucci, M., Srinivasan, N., Denker, G., Finin, T., and Sycara, K. 2004. Authorization and privacy for semantic Web services. IEEE Intell. Syst. 19, 4, 50--56. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Koshutanski, H. and Massacci, F. 2007. A negotiation scheme for access rights establishment in autonomic communication. J. Netw. Syst. Manag. 15, 1, 117--136. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Lawrance, K. and Kaler, C. 2006. Web services security: SOAP message security version 1.1, OASIS standard specification. http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf.Google ScholarGoogle Scholar
  19. Lee, A. J. and Winslett, M. 2006. Safety and consistency in policy-based authorization systems. In Proceedings of the 13th ACM Conference on Computer and Communications Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Li, J. and Li, N. 2006. OACerts: Oblivious attribute certificates. IEEE Trans. Depend. Secur. Comput. 3, 340--352. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Mecella, M., Ouzzani, M., Paci, F., and Bertino, E. 2006. Access control enforcement for conversation-based Web services. In Proceedings of the 15th International World Wide Web Conference (WWW). ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Moses, T. 2005. Extensible access control markup language (XACML), version 2.0, OASIS standard. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.Google ScholarGoogle Scholar
  23. Nuutila, E. and Soisalon-Soininen, E. 1993. On finding the strongly connected components in a directed graph. Inf. Process. Lett. 49, 9--14. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Olson, L., Winslett, M., Tonti, G., Seeley, N., Uszok, A., and Bradshaw, J. 2006. Trust negotiation as an authorization service for Web services. In Proceedings of ICDE Workshops. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Saltzer, J. H. and Schroeder, M. D. 1974. The protection of information in computer systems. Comm. ACM, 340--352.Google ScholarGoogle Scholar
  26. Seamons, K., Winslett, M., and Yu, T. 2001. Limiting the disclosure of access control policies during automated trust negotiations. In Proceedings of the Conference on Network and Distributing System Security (NDSS’01).Google ScholarGoogle Scholar
  27. Sirer, E. G. and Wang, K. 2002. An access control language for Web services. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Stirling, C. 1996. Modal and temporal logics for processes. In Proceedings of the Logics for Concurrency. Structure versus Automata (Eighth Banff Higher Order Workshop). F. Moller and G. M. Birtwistle Eds. Lecture Notes in Computer Science, vol. 1043. Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Sun. 2003. Sun’s XACML implementation. http://sunxacml.sourceforge.net.Google ScholarGoogle Scholar
  30. Tarjan, R. E. 1972. Depth-First search and linear graph algorithms. SIAM J. Comput. 1, 146-160.Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Wonohoesodo, R. and Tari, Z. 2004. A role based access control for Web services. In Proceedings of the IEEE International Conference on Services Computing (SCC). IEEE. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Yu, T., Winslett, M., and Seamons, K. 2003. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur. 6, 1--42. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. ACConv -- An Access Control Model for Conversational Web Services

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM Transactions on the Web
                  ACM Transactions on the Web  Volume 5, Issue 3
                  July 2011
                  177 pages
                  ISSN:1559-1131
                  EISSN:1559-114X
                  DOI:10.1145/1993053
                  Issue’s Table of Contents

                  Copyright © 2011 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 1 July 2011
                  • Accepted: 1 November 2010
                  • Revised: 1 July 2010
                  • Received: 1 April 2007
                  Published in tweb Volume 5, Issue 3

                  Permissions

                  Request permissions about this article.

                  Request Permissions

                  Check for updates

                  Qualifiers

                  • research-article
                  • Research
                  • Refereed

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!