Research On Access Control For Web Services

Web services are well known of a new distributed computing mode, and are widely accepted because of its characters of reusing and interoperability. Web services are loosely coupled applications using well-known XML protocols (such as SOAP, UDDI, WSDL) for representation and communication across the Internet. With the application and development of Web services, resources are shared more widely and efficiently. However, the open nature of the Internet and its loop-coupling construction make Web services vulnerable to various types of security attacks. The Web services security becomes the important factor that restricts Web services further to develop. One aspect of security vulnerabilities in Web services is whether or not services are accessed by authorized users. It is valuable to study how to efficiently prevent unauthorized user from accessing Web services.This dissertation focuses on the security issue of Web services security. The research is concerning the access control, and it can be divided into three parts:Firstly, we study the dynamic characteristic of subject and object and application nature for Web services, and present a dynamic hierarchical RBAC model for Web services. In the environment of web service application, both the subject of invoking request and object of providing service resources have dynamic nature, so, this needs access policies be adapt to dynamic changement of subject and object. Also, both resource and resource attributes for Web services must be protected. In our presented model, actor can satisfy the needs of dynamic changement of subject and object, and hierarchical access policies can protect both information of resource and resource attributes. We define the model and give its detailed description, and give the authorization framework.Secondly, we present a general attribute based access control model for Web services in order to satisfy security requirements of growing numbers of users and rich policies that involve many resource attributes. With the development of enterprises that providing services, system makes many access policies based on many resource attributes in order to protect resource information, and the numbers of users are increasing, which induce user-role assignment and permissions management to be formidable tasks. So, we present a new access control model to meet the security needs. The proposed model introduces notions of single attribute expression, composite attribute expression, and composition permission, and defines a set of elements and relations among its elements, and makes a set of rules that assign roles to user by inputing user's attributes values. The model can support more granularity resource information and rich access control policies, and is a general access control model that can be used to wider applications for services.Finally, we present periodicity constraints-based permission-based delegation model.The presented model combines periodicity constraints into PBDM model. We present delegation judgement condition, and also present qualification judgement conditions of delegator and delegatee, and give a delegation tree in analyzing delegation, and give several modes of revoking delegation.