Attribute Access Control Model For Web Services With Service Negotiation Mechanism

Web Service is an emerging distributed technology, which is based on a series of standards, such as XML, WSDL, SOAP and UDDI. Nowadays, the technology of Web Service is widely used. Web Service has the characters of loosed-coupling/non-language-associated/non-platform-associated. So it has been the e-business framework of next generation. However, Web Service also brought some security problems, which can't be solved by the traditional access control model. Access Control is a way to protect the system resource and guarantee the authorized access by choosing the existed access control policies with the characters of Web Service. The Access Control Model must provide the access that based on content and context and be fit for the isomerous and dynamic environment.This paper first discusses the web service technology, security and the traditional access control models. Then the paper proposes an Attribute-Based Access Control Model for Web Services with Service Negotiation to provide an effective access control mechanism, including the design of system architecture, definitions of the model elements and the algorithms of access control process and service negotiations. The access control model is developed in Electronic Control System, which validates the feasibility and correctness. The access control model is based on SAML (Security Assertion Markup Language) and XACML (Extensible Access Control Markup Language) and takes the restrictive condition composed of identity attributes and context attributes to provide fine-grained access control. The service negotiation ability in the model can make service requesters communicate with the service providers and change the parameters in the request to get access to the services. In this way, the communication capability by service providers and requesters is enhanced.Compared with the traditional access control models, the proposed model has some advantages:(1) Supporting the requirement of access across the security domains. The model can provide access control services for the service providers and requires in Internet. Attribution certifications are used for authentication and authorization. The attribute certifications are issued by Attribute Authorities.(2) Supporting the requirement of communications between systems. The model can provide services for the system integration and the combination of business processes.(3) Providing fine-grained and dynamic access control by combing the restrictive condition of identity attributes and context attributes.(4) Supporting the ability of service negotiation, so that the service providers and service requesters can make agreement on the information of service parameters.