Attribute-based Access Control Model For Web Services

As a new model for distributed computing, Web services improve the B2B applications development greatly. Because of the implementation based general protocol and technology, web services are inter-operable: the WSDL protocol is used to describe published interfaces, the UDDI protocol is used to publish and locate web services, the SOAP protocol encapsulates the transferring messages between web services, and the HTTP or SMTP protocols to transport messages in the Internet. The openness of the Internet makes web services vulnerable to security attacking, and the HTTP protocol aggravates this situation. So, it is important to prevent web services from unauthorized accesses and malicious invoking.In this paper, the access control for Web services are fixed on and studied. First, access control challenges for Web services and SOA are outlined, and defects of current information security mechanisms are surveyed. The access control models today are mostly static and coarsely grained and they are not well-suited for the service-oriented environments where information access is dynamic and ad-hoc in nature. Then an Attribute-based access control (ABAC) model is proposed, which adopted the authorization mechanism dynamically and fine-grained based on subject, resource and environment attributes. It uses XACML (Extensible Access Control Markup Language) for the description of access control criteria and combines the power of XACML and SAML (Security Assertion Markup Language) to complete a distributed system's authorization needs. The new model is more flexible, which is especially suitable for the dynamic, ad-hoc environment for Web services. The paper describes the ABAC model in terms of its authorization architecture and policy formulation, and makes a detailed comparison between ABAC and traditional role-based models, which clearly shows the advantages of ABAC. Finally, the paper describes how this new model can be applied to securing web service invocations, with an implementation based on standard protocols and open-source tools.The Attribute-based access control model in this paper has many advantages over traditional models:(1) It is intuitive to model and manage real-world access control policies;(2) It is based on SAML and XACML, which is more inter-operable;(3) It is more flexible and more powerful to describe complex, fine-grained access...