The Research Of Multi-Security Domain Access Control In Web Services

As a new distributed technology, Web services is easy to expose the weaknesses and limitations of the existing security system, because of its inherent heterogeneity, dynamic nature, complexity and multinomial characteristic, so security issues must be solved before the web services'wide use. Access Control is an important security technology and is also a criterion for TCSEC (Trusted Computer System Evaluation Criteria) to evaluate the security of system, and therefore it's important to provide an access control model which is suitably for dynamic and multi-domain web services environment.There are a lot of security domains which use different access control technology in the web services environment, so the technology must be able to solve the problem of cross-domain access control. Based on the study XACML (Extensible Access Control Markup Language) which gives a standard access control framework, this paper presents a Web Services Trust-Based Access Control Model (WS-TBAC) by improving the framework with trust management technology, trust degree is used for access control in the model rather than the identity of subject, so only trust degree is need at the time of authorization, the paper also makes in-depth study on how to improve the performance of system and calculate trust degree. Assume the domain uses WS-TBAC model, this paper gives the method to calculate subject's trust degree according to subject's trust degree in request domain and request domain's trust degree in target domain. After get the subject's trust degree the model decide to allow the subject's request or not according to access control policy. The subject's trust degree in request domain and request domain's trust degree in target domain is updated after the visit; reflect the cross domain visit's impact on the subject's trust degree in request domain and request domain's trust degree. The paper also describes the process of cross-domain access control between WS-TBAC model and RBAC model. Finally the model's feasibility is proved by a simulation experiment and give a example to show the process of access request evaluation.