Research On SSO And Access Control In Web Services Environment

Service-Oriented Computing (SOC) is a new computing paradigm that utilizes services as the basic constructs to support the development of rapid, low-cost and easy composition of distributed applications even in heterogeneous environments. Web Services are the current most promising technology based on the concept of SOC. It has characters of loose-couple, platform-independent, heterogeneous, cross-domain, dynamic changes, etc, is suitable for SOC environment. However, Web Services still have many security challenges, such as Single Sign on (SSO) and access control which are the most important domains of security. When users access cross-domain services, it is stranger to target services. So it can't be authenticated. Traditional SSO solutions are not fit for Web Services environment. Similarly to SSO, because of users' identities not known, so it is very hard for access control system to define roles and permissions. At the same time, rapid business requirement changes make traditional access control system not suitable for Web Services environment in administrative scalability and control granularity. Access control systems can't protect resources reasonably to unauthorized users. Currently, security has become one of the most important problems that impeded the development of Web Services.Based on analysis of some techniques and standards of Web Services security, this paper does research on Web Services in three fields. Firstly, present a SAML-based Web Services SSO model. Services can authenticate users based SAML assertions. Two implementation patterns of model and composite services SSO method are given. Then security of the model is analyzed. Secondly, present an attribute-based access control model for Web Services holding Negotiation Mechanisms (Nego-ABAC). It improves identity-based and role-based access control and solves access control to unknown users. Using negotiation mechanisms, Nego-ABAC becomes more autonomy and adaptive. Thirdly, present user sensitive attributes protect model based trust level and negotiation mechanism in Web Services enviroment. In attribute-based access control (ABAC), users provide attributes to be evaluated.But some of user attributes is sensitive, need to be protected, and can't be sent to every service provider. So it need compare trust level, negotiate and authenticate service provider's identity attributes to disclose sensitive attributes. At last, design an extensible Web Services security system (EWSSSystem) based above three fields.In summary, this paper present effective solutions solving several key issues in Web Services security. We believe that our contributions make a nice groundwork for future research and engineering on Web services security both in theory and practice.