Conference Paper

A Policy-Based Authorization Framework for Web Services: Integrating XGTRBAC and WS-Policy

IBM, San Jose
DOI: 10.1109/ICWS.2007.10 Conference: 2007 IEEE International Conference on Web Services (ICWS 2007), July 9-13, 2007, Salt Lake City, Utah, USA
Source: DBLP


Authorization and access control in Web services is complicated by the unique requirements of the dynamic Web services paradigm. Current authentication mechanisms for Web services do not differentiate between users in terms of fine-grained access privileges. This results in an all-or-nothing access which is not flexible enough for modern day business processes using Web services to execute. In this paper, we present a policy-based authorization framework to address this requirement. We have designed a profile of the well-known WS-policy specification tailored to meet the access control requirements in Web services by integrating WS-policy with an access control policy specification language, X-GTRBAC. The design of the profile is aimed at bridging the gap between available policy standards for Web services and existing policy specification languages for access control. The profile supports the WS-policy attachment specification, which allows separate policies to be associated with multiple components of a Web service description, and one of our key contributions is the design of an algorithm to compute the effective policy for the Web service given the multiple policy attachments. To allow Web service applications to use our solution, we have adopted a component-based design approach based on well-known UML notations. We have also prototyped our architecture, and implemented it as a loosely coupled Web service providing healthcare information services to physicians subject to applicable authorization policies.

8 Reads
  • Source
    • "Each user in a given role can then access the only part of the system (atomic services and data attributes) circumscribed by his access rights or privileges. These technologies have been extended to take into account temporal constraints on user-role assignments (X- GTRBAC (Joshi et al., 2005)) and Web services as protected resources (WS-RBAC (Bhatti et al., 2007)). They are, however, not adapted to long running processes , as those encountered in an SOA environment, and lack the expressive power to refer to past actions (which are elements of traces in process algebra notations ). "
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper describes an ongoing project on the specification and automatic implementation of functional security policies. We advocate a clear separation between functional behavior and functional security requirements. We propose a formal language to specify functional security policies. We are developing techniques by which a formal functional security policy can be automatically implemented. Hence, our approach is highly inspired from model-driven engineering. Furthermore, our formal language will enabled us to use model checking techniques to verify that a security policy satisfies desired properties.
    Full-text · Conference Paper · Jan 2010
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: E-Health systems logically demand a sufficiently fine-grained authorization policy for access control. The access to medical information should not be just role-based but should also include the contextual condition of the role to access data. In this paper, we present a mechanism to extend the standard role-based access control to incorporate contextual information for making access control decisions in e-health application. We present an architecture consisting of authorisation and context infrastructure that work cooperatively to grant access rights based on context-aware authorization policies and context information.
    Full-text · Chapter · Dec 2008
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Recently IPTV is being spotlighted as a new stream service to stably provide video, audio and control signals to subscribers through the application of IP protocol. However, the IPTV system is facing more security threats than the traditional TV. This study proposes a multicasting encryption mechanism for secure transmission of the contents of IPTV by which the content provider encrypts their contents and send the encrypted contents and the key used for encryption of the contents to the user. In order to reduce the time and cost of Head-End, the proposed mechanism encrypts the media contents at the Head-End, embeds the code of the IPTV terminal used at the Head-End in the media contents for user tracking, and performs desynchronization for protection of the media contents from various attacks.
    Preview · Chapter · Dec 2008
Show more