| In Web Service composition, the access control policies are usually defined in partner services which are composed by complex control logic of WS-BPEL. Thus, it is difficult for a system security administrator to specify the access control policies for the composite service.This paper proposes the Condition Based Access Control Policy Model transfer the current policy to two Boolean expression format conditions (Deny Condition and Permit Condition). Comparing to other access control policy model, we can easily integrate the policy with the Conditions of the control structure in WS-BPEL。Based on CBAC model, we defined three basic policy composition algebra{|,&,(?)}, and describes the commutability, associability property of this algebra. Besides, we derive two operators{S,(?)} to make the policy composition more completely and efficiently, especially for the Combination algorithms in XACML. Using the operator {J}, we can deal with the Control structures in WS-BPEL and map the control structures of WS-BPEL into corresponding policy expression, finally we can construct the access control policies of the composite service based on the control logic and the access control policies of the partner servicesWe also analyze all the variables in Boolean expressions of WS-BPEL conditions; define the user-related property and dynamic property. As to the dynamic property, we extend the WS-BPEL structure and the CBAC model, add new annotation in WS-BPEL to describe the dynamic properties, and finally we give the evaluation result with precondition to user for consideration.At last, we design and implement the prototype of Policy composition in WS-BPEL to describe the process of policy composition. The results demonstrate that our solution is an efficient, secure and practical approach to specify the policy of composite service. |
PDF Full Text Request