Research On Policy-Based Access Control And Its Application For Web Services

The access control technology, widely applied to the security protection of operator system, database and various application systems, is significant to guarantee the security of information systems. Since the development of computer networks and distributed technology, especially the mature and widespread application of Web Services, the traditional access control has become much deficient on the complex session management and the integrated authority control, and can not efficiently deal with some new security challenges, such as scale, flexibility and interoperability, because of its limitation of the restrictive conditions configuration for access session and the execution mechanism. This thesis studys the security technology of the Web Services, analyzes the traditional access control and its deficiency, discusses the access control and implementation model of low coupling PBAC(Policy-Based Access Control).The thesis firstly introduces the Web Services technology and its security requirements in the access control, analyzes its security model and security specification, and investigates the theater that the Web Services have to face. Base on the analysis of the traditional access control model, proposes a low coupling PBAC access control. Finally, the thesis focuses on detail studying of the following respects used to describe and implement the model:1) The formal description of the low coupling PBAC access control. In this model, the authorization for session subject has been cancelled Through building the description of security-related attribute and access control policy, we realize the comprehensive restraint and management of the session requests. In order to improve the flexibility and multi-strategy support of the access control policies, the thesis introduces the rules, the technique of rules combination and strategic combination, and formulates independent mechanisms for the policy description, policy application and management. The logical relationship of entities in the model are also analyzed.2) The availability description of the access control policy. In order to improve the usability, flexibility and consistency of the policy, we use an XML-based language to describe the elements in the access control, including session entity, behavior, condition, and then we give the description methods about the policy rule, policy and policy-attachment. Finally, describing the meta-strategy with XML Schema, we establish the internal logic between policies of access control and standardize a unified description of the strategy.3) The realization of the low coupling PBAC access control. The Generalized Framework for Policy-Based Access Control(GFPBAC), which is easy to be extended, has been designed based on the Generalized Framework for Access Control(GFAC), and it is used to achieve the low coupling PBAC access control model. Furthermore, the thesis also analyzes the WCF(Windows Communiction Foundation) and its authorization model, takes the Web Services developed by using WCF as validation instance of prototype testing. The flexibility, adaptability, and multi-policy support of the low coupling PBAC Access Control Model has been verified.