Research And Design Of Role-based Access Control Mechanism For Web Services

Web Services are rapidly becoming a fundamental paradigm for the development of complex Web applications, but Web Services are built in open distributed environment, the access control problem of Web Services has already become the key factor which restricts it further to apply. It is important to develop an effective access control mechanism to prevent Web Services from unauthorized accesses and malicious invoking.Web Services require access control for single services and composite services. Existing access control mechanisms can hardly meet this requirement, because most of they can not reflect the dynamic activation process of the permission and do not perfectly deal with composite services. Therefore, this paper does two aspects of research to address these issues:On one hand, an extended RBAC model, called RBDAC, is proposed and defined in formalization. Different from the traditional RBAC model, the RBDAC model extends the notion of role and permission to present the characteristic of service-oriented architecture of Web Services. Besides, the RBDAC model enhances the influence of context on the access control decision to dynamically activate use-role assignment and role-permission assignment based on current context. The RBDAC model is well-suited to perform fine-grained access control in the Web Services environment.On the other hand, this paper improves the IRBAC 2000 model through adopting constraints on the role mappings and the detection algorithms for services, as a result, the security problems of using role mapping is solved. Based on the improved model, an inter-domain access control solution combining Chameleon Hashing is presented. It is advantageous to create role mappings dynamically and provide management flexibility. This novel access control solution can enforce authorization when composite services are calling between two administration domains.Based the above theories, this paper also outlines the access control logical architecture for Web Services. How to specify the access control policy by extended XACML standard is illuminated, and the two important subcomponents of this module are analyzed and implemented. In the last part of the present paper employs a demonstration to identify the validity of this access control module. The demonstration shows the access control module can grant permissions to users according to current context, and can create or manage role mappings automatically. Consequently, it can offer access control for both single services and composite services.