Modeling Authorization Policies for Web Services in Presence of Transitive Dependencies
Worachet Uttha, Clara Bertolissi, Silvio Ranise
2015
Abstract
Access control is a crucial issue for the security of Web Services. Since these are independently designed, implemented, and managed, each with its own access control policy, it is challenging to mediate the access to the information they share. In this context, a particularly difficult case occurs when a service invokes another service to satisfy an initial request, leading to indirect authorization errors. To overcome this problem, we propose a new approach based on a version of ORganization Based Access Control (OrBAC) extended by a delegation graph to keep track of transitive authorization dependencies. We show that Datalog can be used as the specification language of our model. As a byproduct of this, an automated analysis technique for simulating execution scenarios before deployment is proposed. Finally, we show how to implement an enforcement mechanism for our model on top of the XACML architecture. To validate our approach, we present a case study adapted from the literature.
References
- Abiteboul, S., Hull, R., and Vianu, V. (1995). Foundations of Databases. Addison-Wesley.
- Armando, A., Carbone, R., Compagna, L., and Pellegrino, G. (2012). Automatic Security Analysis of SAMLBased Single Sign-On Protocols.
- Bertolissi, C. and Fernández, M. (2014). A metamodel of access control for distributed environments: Applications and properties. Inf. Comput., 238:187-207.
- Brown, P. (2008). Implementing SOA: Total Architecture in Practice. TIBCO Press Series. Addison-Wesley.
- Carbonnelle, P. (2014). pyDatalog. google.com/site/pydatalog/.
- Ceri, S., Gottlob, G., and Tanca, L. (1989). What you always wanted to know about datalog (and never dared to ask). Knowledge and Data Engineering, IEEE Transactions on, 1(1):146-166.
- Chadwick, D., Otenko, S., and Nguyen, T. A. (2006). Adding support to xacml for dynamic delegation of authority in multiple domains. In Communications and Multimedia Security.
- Chen, W. and Warren, D. S. (1996). Tabled evaluation with delaying for general logic programs. Journal of the ACM, 43:43-1.
- Dantsin, E., Eiter, T., Gottlob, G., and Voronkov, A. (2001). Complexity and expressive power of logic programming. ACM Comput. Surv., 33(3):374-425.
- Fischer, J. and Majumdar, R. (2008). A theory of role composition. In IEEE Int. Conf. on Web Services, pages 320-328.
- Kalam, A., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., and Trouessin, G. (2003). Organization based access control. In 4th Int. Ws. POLICY, pages 120-131.
- Karp, A. and Li, J. (2010). Solving the transitive access problem for the services oriented architecture. In International Conference ARES, pages 46-53.
- Li, J. and Karp, A. H. (2007). Access control for the services oriented architecture. In Proceedings of the 2007 ACM Workshop on Secure Web Services, SWS 7807, pages 9-17. ACM.
- Li, N. and Mitchell, J. C. (2003). Datalog with constraints: a foundation for trust management languages. In PADL'03, pages 58-73.
- Mecella, M., Ouzzani, M., Paci, F., and Bertino, E. (2006). Access control enforcement for conversation-based web services. In 15th Int. Conf. on WWW, pages 257- 266, USA. ACM.
- She, W., Yen, I.-L., Thuraisingham, B., and Bertino, E. (2013). Security-aware service composition with finegrained information flow control. Services Computing, IEEE Transactions on, 6(3):330-343.
- Srivatsa, M., Iyengar, A., Mikalsen, T., Rouvellou, I., and Yin, J. (2007). An access control system for web service compositions. In IEEE Int. Conf. on Web Services, pages 1-8.
- Y. Deswarte, A. A. E. K. (2009). Poly-OrBAC: An access control model fior inter-organizational web services. IGI-Global.
Paper Citation
in Harvard Style
Uttha W., Bertolissi C. and Ranise S. (2015). Modeling Authorization Policies for Web Services in Presence of Transitive Dependencies . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 293-300. DOI: 10.5220/0005548502930300
in Bibtex Style
@conference{secrypt15,
author={Worachet Uttha and Clara Bertolissi and Silvio Ranise},
title={Modeling Authorization Policies for Web Services in Presence of Transitive Dependencies},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={293-300},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005548502930300},
isbn={978-989-758-117-5},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Modeling Authorization Policies for Web Services in Presence of Transitive Dependencies
SN - 978-989-758-117-5
AU - Uttha W.
AU - Bertolissi C.
AU - Ranise S.
PY - 2015
SP - 293
EP - 300
DO - 10.5220/0005548502930300