Research Of Role-based Web Services Security Policy

With the development of network information technology, the concept of SOA as Service-Oriented Architecture was put forward. In layman's terms, SOA is a service that can make the distributed functions of enterprise applications organize into some standard-based services that can be shared, and these services can be combined and reused quickly to meet business needs. As the advantages of loosely coupled, reusable and standardized service interface, high efficiency of development, fast response, etc., SOA has a more and more extensive range of applications. But with the complexity of the SOA and interface diversity, its security management becomes more complex. Web Services as an important technology for achieving SOA, to a certain extent, improved the problems faced by SOA. Web Services is a development mode that can be used to solve the application integration issues of different networks, which provides a technical support for the realization of "software as a service". The "software as a service" is essentially a mechanism to provide software services, with the mechanism programming interface can be developed in the networks, through which related services the site provided can be shared.With the rapid development of Web Services, security issues were presented very quickly, and the research of Web Services security policy became particularly important. In general, Web Services security policy covering three aspects at least: authentication policy, access control policies and privacy policies, access control security technology as an important technique faces enormous challenges. Traditional access control models can not meet the needs of Web services environment. Discretionary Access Control Model with the autonomy of granting rights is difficult to control the permissions given out. Mandatory Access Control Model grants permissions accordance with the level of security strictly, which lacks flexibility. Role-Based Access Control model has the advantages of relatively flexible, easy management of the permissions, but the role is static, and can't have permissions recovered dynamic, which is an access control model with not fine-grained. Attribute-based Access Control model is according to the properties of the relevant entities involved whether meet the requirements to make decisions for authorization, while having a fine access control granularity, dynamic and flexibility.Because of the above-mentioned shortcomings of the access control models, this paper makes an in-depth study for role-based access control model of Web Services with the characteristics of RBAC and ABAC. Researches of this paper are as the followings:1. The concept of Web Services and the related technologies are discussed, and the structure and characteristics of Web Services, Web Services core technologies SOAP, WSDL, UDDI, etc. were all analyzed, and then discussed the Web Services security specifications, at last several more access control models are also detailed.2. Proposed a role-and-attribute-based access control model, which has published in the journal paper "Computer Technology and Development". Role-based access control model was described in detail, and analysis of the characteristics and advantages of RBAC model. In the model, attributes were introduced into role-based access control. When authorized, the system will consider the user's role as a priority, only when the user's role meets the requirements then reconsider the attribute factors, thus forming a double access control. This model has a higher security and fine-grained access control with the role and attributes. It can adapt to the changing Web Services environment.3. Proposed a role-based authorization model, which has published in the journal paper "Micro-Computer". The model was proposed by analyzing the advantages and disadvantages of each authorization model. In the model, delegating role to users not only consider the user's position but also other factors, and then make a user attribute levels, the different attribute levels correspond to different roles and thus correspond to different access permissions to control users' access. Compared with the traditional authorization delegation model, this model has a fine-grained access control and higher security.4. The improved model role-and-attribute-based access control was made an application implementation. In this chapter, student information management system architecture was designed simply, and the RABAC model was applied and discusses its function and application methods.