Conference Paper

A Policy-Based Authorization Framework for Web Services: Integrating XGTRBAC and WS-Policy.

IBM, San Jose
DOI: 10.1109/ICWS.2007.10 Conference: 2007 IEEE International Conference on Web Services (ICWS 2007), July 9-13, 2007, Salt Lake City, Utah, USA
Source: DBLP

ABSTRACT Authorization and access control in Web services is complicated by the unique requirements of the dynamic Web services paradigm. Current authentication mechanisms for Web services do not differentiate between users in terms of fine-grained access privileges. This results in an all-or-nothing access which is not flexible enough for modern day business processes using Web services to execute. In this paper, we present a policy-based authorization framework to address this requirement. We have designed a profile of the well-known WS-policy specification tailored to meet the access control requirements in Web services by integrating WS-policy with an access control policy specification language, X-GTRBAC. The design of the profile is aimed at bridging the gap between available policy standards for Web services and existing policy specification languages for access control. The profile supports the WS-policy attachment specification, which allows separate policies to be associated with multiple components of a Web service description, and one of our key contributions is the design of an algorithm to compute the effective policy for the Web service given the multiple policy attachments. To allow Web service applications to use our solution, we have adopted a component-based design approach based on well-known UML notations. We have also prototyped our architecture, and implemented it as a loosely coupled Web service providing healthcare information services to physicians subject to applicable authorization policies.

0 Followers
 · 
82 Views
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The purpose of this paper is to present a survey of XML-based security standards that can be used for handling security requirements of distributed computing systems like Grid and Cloud. Distributed systems are expanding and their growth is apparent from the advancements in the field of distributed computing technologies like Grid, Peer-to-peer, Cloud, Pervasive Systems etc. As a result of this expansion, security requirements are also increasing and becoming important. The expansion of Grid and Cloud demands new security standards for handling specialized security requirements and concerns of these systems. Different security standards are in use for handling security requirements of different systems. This paper presents a survey of important XML-based security standards, identifies general and specialized security requirements of Grid and Cloud like systems and then relates them to security standards. The paper also presents a general, security standards based view of distributed computing systems showing the applicability of XML-based security standards in handling security concerns of these systems.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In recent years, many password authenticated key exchange (PAKE) protocols have been proposed. However, many of them have been broken or have no security proof. In this paper, we propose an efficient password authenticated key exchange protocol using bilinear pairings. Compared with previous PAKE protocol using bilinear pairings, our protocol is quite efficient both in communication cost and computational cost. Moreover, this paper proves that the novel protocol is forward secrecy under the Bilinear Diffie-Hellman (BDH) assumption in the random oracle model.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Role-based access control (RBAC) has been proposed as an alternative solution for expressing access control policies. The generalized temporal RBAC (GTRBAC) extends RBAC by adding time in order to support timed based access control policies. However, GTRBAC does not address certain issues of concurrency such as, synchronization. We propose an approach to the expressions of time and concurrency in RBAC based on timed Petri nets. A formal verification method for access control policies is also proposed.
    12/2008: pages 37-42;