Conference Paper

A Policy-Based Authorization Framework for Web Services: Integrating XGTRBAC and WS-Policy.

IBM, San Jose;
DOI: 10.1109/ICWS.2007.10 Conference: 2007 IEEE International Conference on Web Services (ICWS 2007), July 9-13, 2007, Salt Lake City, Utah, USA
Source: DBLP

ABSTRACT Authorization and access control in Web services is complicated by the unique requirements of the dynamic Web services paradigm. Current authentication mechanisms for Web services do not differentiate between users in terms of fine-grained access privileges. This results in an all-or-nothing access which is not flexible enough for modern day business processes using Web services to execute. In this paper, we present a policy-based authorization framework to address this requirement. We have designed a profile of the well-known WS-policy specification tailored to meet the access control requirements in Web services by integrating WS-policy with an access control policy specification language, X-GTRBAC. The design of the profile is aimed at bridging the gap between available policy standards for Web services and existing policy specification languages for access control. The profile supports the WS-policy attachment specification, which allows separate policies to be associated with multiple components of a Web service description, and one of our key contributions is the design of an algorithm to compute the effective policy for the Web service given the multiple policy attachments. To allow Web service applications to use our solution, we have adopted a component-based design approach based on well-known UML notations. We have also prototyped our architecture, and implemented it as a loosely coupled Web service providing healthcare information services to physicians subject to applicable authorization policies.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: E-Health systems logically demand a sufficiently fine-grained authorization policy for access control. The access to medical information should not be just role-based but should also include the contextual condition of the role to access data. In this paper, we present a mechanism to extend the standard role-based access control to incorporate contextual information for making access control decisions in e-health application. We present an architecture consisting of authorisation and context infrastructure that work cooperatively to grant access rights based on context-aware authorization policies and context information.
    12/2008: pages 68-77;
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The purpose of this paper is to present a survey of XML-based security standards that can be used for handling security requirements of distributed computing systems like Grid and Cloud. Distributed systems are expanding and their growth is apparent from the advancements in the field of distributed computing technologies like Grid, Peer-to-peer, Cloud, Pervasive Systems etc. As a result of this expansion, security requirements are also increasing and becoming important. The expansion of Grid and Cloud demands new security standards for handling specialized security requirements and concerns of these systems. Different security standards are in use for handling security requirements of different systems. This paper presents a survey of important XML-based security standards, identifies general and specialized security requirements of Grid and Cloud like systems and then relates them to security standards. The paper also presents a general, security standards based view of distributed computing systems showing the applicability of XML-based security standards in handling security concerns of these systems.
    International Journal of Engineering and Technology. 01/2013;
  • Source
    ICEIS 2010 - Proceedings of the 12th International Conference on Enterprise Information Systems, Volume 3, ISAS, Funchal, Madeira, Portugal, June 8 - 12, 2010; 01/2010