Abstract
With organizations increasingly depending on Web services to build complex applications, security and privacy concerns including the protection of access control policies are becoming a serious issue. Ideally, service providers would like to make sure that clients have knowledge of only portions of the access control policy relevant to their interactions to the extent to which they are entrusted by the Web service and without restricting the client’s choices in terms of which operations to execute. We propose ACConv, a novel model for access control in Web services that is suitable when interactions between the client and the Web service are conversational and long-running. The conversation-based access control model proposed in this article allows service providers to limit how much knowledge clients have about the credentials specified in their access policies. This is achieved while reducing the number of times credentials are asked from clients and minimizing the risk that clients drop out of a conversation with the Web service before reaching a final state due to the lack of necessary credentials. Clients are requested to provide credentials, and hence are entrusted with part of the Web service access control policies, only for some specific granted conversations which are decided based on: (1) a level of trust that the Web service provider has vis-à-vis the client, (2) the operation that the client is about to invoke, and (3) meaningful conversations which represent conversations that lead to a final state from the current one. We have implemented the proposed approach in a software prototype and conducted extensive experiments to show its effectiveness.
- Agarwal, S., Sprick, B., and Wortmann, S. 2004. Credential based access control for semantic web services. In Proceedings of Semantic Web Services. AAAI. http://www.daml.ecs.soton.ac.uk/SSS-SWS04/Papers.html.Google Scholar
- Anderson, A. 2007. Web services profile of XACML (WS-XACML), version 1.0, OASIS standard specification. http://www.oasis-open.org/committees/download.php/24951/xacml-3.0-profile-webservices-spec-v1-wd-10-en.pdf.Google Scholar
- Ankolekar, A. 2002. DAML-S: Web service description for the semantic web. In Proceedings of the International Semantic Web Conference (ISWC). Lecture Notes in Computer Science. Google Scholar
Digital Library
- Benatallah, B., Casati, F., Toumani, F., and Hamadi, R. 2003. Conceptual modeling of Web service conversations. In Proceedings of the 15th International Conference on Advanced Information Systems Engineering (CAiSE). Lecture Notes in Computer Science, vol. 2681. Springer. Google Scholar
Digital Library
- Berardi, D., Calvanese, D., De Giacomo, G., Lenzerini, M., and Mecella, M. 2005. Automatic service composition based on behavioral descriptions. Int. J. Coop. Inf. Syst. 14, 4, 333--376.Google Scholar
Cross Ref
- Bertino, E., Squicciarini, A. C., Martino, L., and Paci, F. 2006. An adaptive access control model for Web services. Int. J. Web Serv. Res. 3, 3, 27--60.Google Scholar
Cross Ref
- Bhatti, R., Bertino, E., and Ghafoor, A. 2004. A trust-based context-aware access control model for Web-services. In Proceedings of the IEEE International Conference on Web Services (ICWS). Google Scholar
Digital Library
- Clarke, D. E., Elien, J., Ellison, C. M., Fredette, M., Morcos, A., and Rivest, R. L. 2001. Certificate chain discovery in SPKI/SDSI. J. Comput. Secur. 9, 285--322. Google Scholar
Digital Library
- Denker, G., Kagal, L., Finin, T., Paolucci, M., and Sycara, K. 2003. Security for DAML Web services: Annotation and matchmaking. In Proceedings of the 2nd International Semantic Web Conference (ISWC). Lecture Notes in Computer Science, vol. 2870. Springer.Google Scholar
- Emig, C., Abeck, S., Biermann, J., Brandt, F., and Klarl, H. 2007. An access control metamodel for Web service-oriented architecture. In Proceedings of the 2nd International Conference on Systems and Networks Communications (CSNC). Google Scholar
Digital Library
- Frikken, B., Li, J., and Atallah, M. J. 2006. Trust negotiation with hidden credentials, hidden policies and policies cycles. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
- Globus. 2011. Globus toolkit. http://www.globus.org/toolkit/.Google Scholar
- Gonnet, G. H. and Baeza-Yates, R. 1991. HandBook of Algorithms and Data Structures. Addison-Wesley. Google Scholar
Digital Library
- Internet2. 2006. OpenSAML - an open source security assertion language toolkit. http://www.opensaml.org.Google Scholar
- Kagal, L. 2002. Rei: A policy specification language. http://rei.umbc.edu/.Google Scholar
- Kagal, L., Paolucci, M., Srinivasan, N., Denker, G., Finin, T., and Sycara, K. 2004. Authorization and privacy for semantic Web services. IEEE Intell. Syst. 19, 4, 50--56. Google Scholar
Digital Library
- Koshutanski, H. and Massacci, F. 2007. A negotiation scheme for access rights establishment in autonomic communication. J. Netw. Syst. Manag. 15, 1, 117--136. Google Scholar
Digital Library
- Lawrance, K. and Kaler, C. 2006. Web services security: SOAP message security version 1.1, OASIS standard specification. http://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf.Google Scholar
- Lee, A. J. and Winslett, M. 2006. Safety and consistency in policy-based authorization systems. In Proceedings of the 13th ACM Conference on Computer and Communications Security. Google Scholar
Digital Library
- Li, J. and Li, N. 2006. OACerts: Oblivious attribute certificates. IEEE Trans. Depend. Secur. Comput. 3, 340--352. Google Scholar
Digital Library
- Mecella, M., Ouzzani, M., Paci, F., and Bertino, E. 2006. Access control enforcement for conversation-based Web services. In Proceedings of the 15th International World Wide Web Conference (WWW). ACM. Google Scholar
Digital Library
- Moses, T. 2005. Extensible access control markup language (XACML), version 2.0, OASIS standard. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.Google Scholar
- Nuutila, E. and Soisalon-Soininen, E. 1993. On finding the strongly connected components in a directed graph. Inf. Process. Lett. 49, 9--14. Google Scholar
Digital Library
- Olson, L., Winslett, M., Tonti, G., Seeley, N., Uszok, A., and Bradshaw, J. 2006. Trust negotiation as an authorization service for Web services. In Proceedings of ICDE Workshops. Google Scholar
Digital Library
- Saltzer, J. H. and Schroeder, M. D. 1974. The protection of information in computer systems. Comm. ACM, 340--352.Google Scholar
- Seamons, K., Winslett, M., and Yu, T. 2001. Limiting the disclosure of access control policies during automated trust negotiations. In Proceedings of the Conference on Network and Distributing System Security (NDSS’01).Google Scholar
- Sirer, E. G. and Wang, K. 2002. An access control language for Web services. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies (SACMAT). ACM. Google Scholar
Digital Library
- Stirling, C. 1996. Modal and temporal logics for processes. In Proceedings of the Logics for Concurrency. Structure versus Automata (Eighth Banff Higher Order Workshop). F. Moller and G. M. Birtwistle Eds. Lecture Notes in Computer Science, vol. 1043. Springer. Google Scholar
Digital Library
- Sun. 2003. Sun’s XACML implementation. http://sunxacml.sourceforge.net.Google Scholar
- Tarjan, R. E. 1972. Depth-First search and linear graph algorithms. SIAM J. Comput. 1, 146-160.Google Scholar
Digital Library
- Wonohoesodo, R. and Tari, Z. 2004. A role based access control for Web services. In Proceedings of the IEEE International Conference on Services Computing (SCC). IEEE. Google Scholar
Digital Library
- Yu, T., Winslett, M., and Seamons, K. 2003. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur. 6, 1--42. Google Scholar
Digital Library
Index Terms
ACConv -- An Access Control Model for Conversational Web Services
Recommendations
Access control enforcement for conversation-based web services
WWW '06: Proceedings of the 15th international conference on World Wide WebService Oriented Computing is emerging as the main approach to build distributed enterprise applications on the Web. The widespread use of Web services is hindered by the lack of adequate security and privacy support. In this paper, we present a novel ...
Trust Based Privacy Preserving Access Control in Web Services Paradigm
ADCONS '13: Proceedings of the 2013 2nd International Conference on Advanced Computing, Networking and SecurityThe digital world is changing at a fast pace. These days, web services are becoming the basis of many e-business systems & web users are increasingly sharing their personal information with web service providers. These services are being considered as a ...
An Attribute-Based Access Control Model for Web Services
PDCAT '06: Proceedings of the Seventh International Conference on Parallel and Distributed Computing, Applications and TechnologiesWeb service is a new service-oriented computing paradigm which poses the unique security challenges due to its inherent heterogeneity, multi-domain characteristic and highly dynamic nature. A key challenge in Web services security is the design of ...






Comments