Article

Access control for the services oriented architecture

Authors:

Alan H. KarpAuthors Info & Claims

SWS '07: Proceedings of the 2007 ACM workshop on Secure web services

Pages 9 - 17

https://doi.org/10.1145/1314418.1314421

Published: 02 November 2007 Publication History

Abstract

Federated Identity Management (FIdM) is being applied to Services Oriented Architecture (SOA) deployments that cross enterprise boundaries. Though federation is essential in order to address the distributed nature of SOA, these FIdM solutions have been found to be inflexible, unscalable, and difficult to use, manage, and upgrade. We contend that a major reason for these difficulties is that FIdM addresses the wrong aspect of the problem. Specifically, FIdM does not address the federation of access policies. What is needed is a system for Federated Access Management (FAccM). This paper demonstrates the benefits of FAccM over FIdM for SOA deployments and shows how FAccM can be implemented using the existing web services standards.

References

[1]

ActiveIdentity, Single Sign-On, http://www.actividentity.com/solutions/technology/esso__overview.php

[2]

Blaze, M.; Feigenbaum, J.; Lacy, J., "Decentralized trust management," Proceedings of IEEE Symposium on Security and Privacy, pp. 164--173, 1996.

Digital Library

[3]

Boebert, W. E., On the Inability of an Unmodified Capability Machine to Enforce the *-property. In Proc. 7th DoD/NBS Computer Security Conference, pages 291--293, Gaithersburg, MD, USA, September 1984. National Bureau of Standards.

[4]

Computer Associates, Single Sign-On, http://www.ca.com/us/products/product.aspx?id=166

[5]

Daley, R. C. and Neumann, P. G., A general-purpose file system for secondary storage, Proceedings of the Fall Joint Computer Conference, 1965.

Digital Library

[6]

Dennis, J. B. and Van Horn, E. C., Programming Semantics for Multiprogrammed Computations, Comm. of the ACM, 9, #3, 1966.

Digital Library

[7]

Donnelley, J. E., A Distributed Capability Computing System. In Proc. Third International Conference on Computer Communication, pages 432--440, Toronto, Canada, 1976.

[8]

Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Ylonen, T., "SPKI Certificate Theory", IETF RFC 2693. http://www.ietf.org/rfc/rfc2693.txt

Digital Library

[9]

Extensible Access Control Markup Language (XACML) V1.1, http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-1.1.pdf

[10]

Extensible Markup Language (XML), http://www.w3.org/XML/

[11]

Ferraiolo, D. F. and Kuhn, D. R, "Role Based Access Control" 15th National Computer Security Conference, 1992.

[12]

Ferrara, A. and MacDonald, M., Programming .NET Web Services, O'Reilly Media, Inc., 2002.

Digital Library

[13]

Hardy, N., KeyKOS Architecture. SIGOPS Operating Systems Review, 19(4):8--25, 1985.

Digital Library

[14]

Hardy, N., "The Confused Deputy: (or why capabilities might have been invented)", ACM SIGOPS Operating Systems Review, Volume 22, Issue 4 (October 1988).

Digital Library

[15]

Henning, M. and Vinoski, S., Advanced CORBA Programming with C++, Addison-Wesley, 1999.

Digital Library

[16]

Hewlett-Packard, e-speak Architectural Specification, Release A.03.14.00, 2001.

[17]

Karp, A. H., Gupta, R., Rozas, G., and Banerji, A., The Client Utility Architecture: The Precursor to E-Speak. Technical Report HPL-2001-136, Hewlett Packard Laboratories, 2001.

[18]

Karp, A. H., "Authorization Based Access Control for the Services Oriented Architecture", Proc. 4th Int. Conf. on Creating, Connecting and Collaborating through Computing (C5 2006), Berkeley, CA, IEEE Press, January (2006), http://www.hpl.hp.com/techreports/2006/HPL-2006-3.html. Some of the introductory material comes from this paper.

Digital Library

[19]

Li, J. and Karp, A., "Zebra Copy: A Reference Implementation of Federated Access Management", HP Labs Technical Report HPL--2007--105, http://www.hpl.hp.com/techreports/2007/HPL-2007-105.html

[20]

Li, J. and Karp, A., "Zebra Copy sample code", http://www.hpl.hp.com/Alan_Karp/ZebraCopy.zip

[21]

Li, J. and Karp, A., "Zebra Copy sample code with SOAP interception", http://www.hpl.hp.com/Alan_Karp/ZebraCopyExtension.zip

[22]

Liberty Alliance, http://www.projectliberty.org/.

[23]

Mayfield, W. Traditional capability-based systems: An analysis of their ability to meet the trusted computer security evaluation criteria. Technical report, National Computer Security Center, Institute for Defense Analysis, 1987.

[24]

Microsoft, "Introducing Windows CardSpace", http://msdn2.microsoft.com/en-us/library/aa480189.aspx

[25]

Miller, M. S. and Shapiro, J. S. Paradigm Regained: Abstraction Mechanisms for Access Control. In Proc. Eighth Asian Computing Science Conference, pages 224--242, Tata Institute of Fundamental Research, Mumbai, India, 2003.

[26]

Miller, M. S, Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control, Ph. D. Thesis, Johns Hopkins University, Baltimore, Maryland, USA, 2006.

Digital Library

[27]

OASIS, "Security Assertion Markup Language (SAML) 2.0 Technical Overview, Working Draft 05", 10 May 2005, http://www.oasis-open.org/committees/download.php/12549/sstc-saml-tech-overview-2%5B1%5D.0-draft-05.pdf

[28]

Papazoglou, M.P and Georgakopoulos, D., "Service-Oriented Computing," Communications of the ACM, Vol. 46, No. 10, pp. 25--8, Oct. 2003.

Digital Library

[29]

Ping Identity, "Reducing Account Sharing with Federated Single Sign-On", Webinar, http://www.pingidentity.com/p/03yVcBqM?elq=F993B4D596D54D5B91838E8F7ECD6DE6

[30]

Ping Identity, Single Sign-On, http://www.pingidentity.com/resources/88

[31]

RSA Conference 2007, http://www.rsaconference.com/2007/US/.

[32]

Security Token, see http://www.oasis--open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf, and http://www.oasis-open.org/committees/download.php/16785/wss-v1.1-spec-os-x509TokenProfile.pdf

[33]

Simple Object Access Protocol (SOAP) 1.1, W3C Note, http://www.w3.org/TR/2000/NOTE-SOAP-20000508/

[34]

Stoll, C., The Cuckoo's Egg, Pocket Books, New York, 1989.

[35]

Stojanovic, Z. and Dahanayake, A. (eds), Service-Oriented Software System Engineering: Challenges and Practices, Idea Group Publishing, 2005.

Digital Library

[36]

The Open Group, CDSA Explained, http://www.opengroup.org/bookstore/catalog/g905.htm, 2001.

[37]

Thompson, M. R., Essiari, A., and Mudumbai, S., Certificate-Based Authorization Policy in a PKI Environment, ACM Trans. Information System Security, Vol. 6, No. 4, Nov. 2003, pp. 566--588.

Digital Library

[38]

Universal Description, Discovery, and Integration (UDDI), http://www.uddi.org/.

[39]

Vinoski, S., "CORBA: Integrating Diverse Applications within Distributed Heterogeneous Environments," IEEE Communications Magazine, vol.35, no.2, pp. 46--55, Feb. 1997.

Digital Library

[40]

Web Services Description Language (WSDL) 1.1, W3C Note, http://www.w3.org/TR/wsdl.html.

[41]

XML-Signature Syntax and Processing, W3C Recommendation, http://www.w3.org/TR/xmldsig-core/

Cited By

Glöckler JSedlmeir JFrank MFridgen G(2023)A Systematic Review of Identity and Access Management Requirements in Enterprises and Potential Contributions of Self-Sovereign IdentityBusiness & Information Systems Engineering10.1007/s12599-023-00830-x66:4(421-440)Online publication date: 12-Sep-2023
https://doi.org/10.1007/s12599-023-00830-x
Riad KHamza RYan H(2019)Sensitive and Energetic IoT Access Control for Managing Cloud Electronic Health RecordsIEEE Access10.1109/ACCESS.2019.29263547(86384-86393)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2926354
Muthukrishnan PSakthivel VRamachandran BSrihari K(2019)Technical analysis on security realization in web services for e-business managementInformation Systems and e-Business Management10.1007/s10257-019-00423-wOnline publication date: 12-Aug-2019
https://doi.org/10.1007/s10257-019-00423-w
Show More Cited By

Index Terms

Access control for the services oriented architecture
1. Information systems
  1. World Wide Web
    1. Web applications
    2. Web services

Recommendations

A federation of web services for Danish health care
IDtrust '08: Proceedings of the 7th symposium on Identity and trust on the Internet

Having relevant, up-to-date information about a patient's health care history is often crucial for providing the appropriate treatment. In Denmark, IT systems have been built to support different work flows in the health sector, but the systems are ...
A dynamic context-aware access control architecture for e-services

The universal adoption of the Internet and the emerging web services technologies constitutes the infrastructure that enables the provision of a new generation of e-services and applications. However, the provision of e-services through the Internet ...
Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns
IC2E '14: Proceedings of the 2014 IEEE International Conference on Cloud Engineering

This paper presents on-going research to define the basic models and architecture patterns for federated access control in heterogeneous (multi-provider) multi-cloud and inter-cloud environment. The proposed research contributes to the further ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SWS '07: Proceedings of the 2007 ACM workshop on Secure web services

November 2007

128 pages

ISBN:9781595938923

DOI:10.1145/1314418

General Chair:
Peng Ning
NC State University, USA
,
Program Chairs:
Ernesto Damiani
University of Milan, Italy
,
Seth Proctor
Sun Microsystems Laboratories, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 November 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

November 2, 2007

Virginia, Fairfax, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
1,196
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Glöckler JSedlmeir JFrank MFridgen G(2023)A Systematic Review of Identity and Access Management Requirements in Enterprises and Potential Contributions of Self-Sovereign IdentityBusiness & Information Systems Engineering10.1007/s12599-023-00830-x66:4(421-440)Online publication date: 12-Sep-2023
https://doi.org/10.1007/s12599-023-00830-x
Riad KHamza RYan H(2019)Sensitive and Energetic IoT Access Control for Managing Cloud Electronic Health RecordsIEEE Access10.1109/ACCESS.2019.29263547(86384-86393)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2926354
Muthukrishnan PSakthivel VRamachandran BSrihari K(2019)Technical analysis on security realization in web services for e-business managementInformation Systems and e-Business Management10.1007/s10257-019-00423-wOnline publication date: 12-Aug-2019
https://doi.org/10.1007/s10257-019-00423-w
Ometov ABezzateev SKannisto JHarju JAndreev SKoucheryavy Y(2017)Facilitating the Delegation of Use for Private Devices in the Era of the Internet of Wearable ThingsIEEE Internet of Things Journal10.1109/JIOT.2016.25938984:4(843-854)Online publication date: Aug-2017
https://doi.org/10.1109/JIOT.2016.2593898
Hashemi SFaghri FRausch PCampbell R(2016)World of Empowered IoT Users2016 IEEE First International Conference on Internet-of-Things Design and Implementation (IoTDI)10.1109/IoTDI.2015.39(13-24)Online publication date: Apr-2016
https://doi.org/10.1109/IoTDI.2015.39
Uzunov AFernandez EFalkner K(2015)Security solution frames and security patterns for authorization in distributed, collaborative systemsComputers and Security10.1016/j.cose.2015.08.00355:C(193-234)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1016/j.cose.2015.08.003
Shen H(2015)A Capability-Based Access Control Framework with Delegation SupportWireless Communications, Networking and Applications10.1007/978-81-322-2580-5_59(655-667)Online publication date: 29-Oct-2015
https://doi.org/10.1007/978-81-322-2580-5_59
Chen QHsu MCastellanos M(2015)Backtrack-Based and Window-Oriented Optimistic Failure Recovery in Distributed Stream ProcessingEnabling Real-Time Business Intelligence10.1007/978-3-662-46839-5_4(38-64)Online publication date: 30-Apr-2015
https://doi.org/10.1007/978-3-662-46839-5_4
Amir MPillai PHu Y(2014)Cascading Permissions Policy Model for Token-Based Access Control in the Web of ThingsProceedings of the 2014 International Conference on Future Internet of Things and Cloud10.1109/FiCloud.2014.45(238-245)Online publication date: 27-Aug-2014
https://dl.acm.org/doi/10.1109/FiCloud.2014.45
Chen QHsu MCastellanos M(2013)Backtrack-Based Failure Recovery in Distributed Stream ProcessingProceedings of the 2013 14th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing10.1109/SNPD.2013.36(261-266)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1109/SNPD.2013.36
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents