Research On Access Control Mechanism For Web Services

Web Services is an important method for Service-Oriented Architecture (SOA), and it is also a basic technology for information systems integration. Access control is one key issue of Web Services security. Web Services need to deal with access control across multiple security domains, and this makes classic access control mechanism cannot satisfy the needs of Web Services access control.This thesis researches Web Services access control mechanism. On analyzing the challenges from Web Services access control and researching access control models for Web Services, a new Attribute Based Access Control (ABAC) model for Web Services is proposed,which can represent structure attribute and substitutes rule representation from relation between authorization and attributes to relation among attributes.Borrowing the idea from structured knowleage representation and Horn logic language , a logic language, which is called Structured Attribute Logic Language (SALL), is proposed to represent ABAC policy in structure knowledge representation and rule representation. A logic deduction system based on SALL language is designed as the basis of Web Services access control authorization decision. Web Services Firewall is proposed and implemented as a platform for Web Services access control. The challenges from Web Services access control include access control cross multiple security domains, dynamic authorization and standard for Web Services access control. The main idea of ABAC model is that all associated factors with authorization decision are abstracted as attributes. This model has not a center administrator and is more flexible than other models to deal with the challenges from Web Services access control. A new ABAC model, which can be used to represent structured attribute, is proposed for Web Services access control and this new ABAC model changes policy rule representation from relation between attributes and authorization to relation among attributes, and then improve the ability of policy rule representation.In order to represent Web Services access control policy, SALL language is proposed, which is specified by formal syntax and semantics. Structured attribute is a basic element of SALL language, which is represented by a quaternion, namely , name is the attribute name, owner is the subject who owns the attribute, ca is the authority for the trust of the attribute, and items, which is a structured data, is the value of the attribute. SALL language formal syntax is constructed by structured attribute and basic first order logic symbols. SALL language semantic is interpreted by sets and functions. The name of attribute name or attribute term is interpreted as 0-arity function and the value of attribute or attribute term is interpreted as a set, and so there are no differences between class and instance. Under this semantic interpret, structured attribute can be used to describe many conditions which associated with access control authorization decision and so it can satisfy the need of access control under many situations. SALL language defines the valid attribute and then defines the valid logic formula and logic deduction.A special SALL language deduction system is proposed for Web Services access control authorization decision. This deduction system uses only a special class of attribute logic formulas, the formula of which is called attribute formula, and only can be used to deduce atomic attribute formulas. This system has only one deduction rule, which is named resolved rule based on attribute classification. The idea of the deduction rule is to associate a atomic attribute formulas, which needs to be proved and is called unknown attribute formula, with a policy rule, and then to deduce. Attribute deduction arithmetic is designed for deduction system, and the valid and termination are proved.Using SALL language and deduction system can makes policy representation more flexible so as to improve the representation ability. Access control policy based on SALL language can be used to represent identity based access control model policy, role based access control model policy, and trust management based access control model policy. SALL deduction system can be used as a general authorization decision engine, and then to simplify the design and implement of access control system.The access control framework based on SALL language includes Policy Enforce Point (PEP), attribute management module, policy management module and authorization decision module. How to implement PEP is a difficult question when access control system is being implemented. On analyzing the principal of processing Web Service in Windows system, Web Services Firewall is designed and implemented. Web Services Firewall can be used a platform for Web Services access control, and it also can be used to filter venomous SOAP messages.