| With the widely use of SOA, Web Service, as one of the best way for the application of SOA, plays a more important role in the enterprises. Web Service chooses SOAP to communicate. Considered simplicity, it did not mention security at SOAP’s first design. At the same time, SOAP is designed with extensibility in mind, so a series of extensive standard, for instance, WS-Security, can be used to supply communication security for it. Although the communication security is guaranteed, there is no standard to specify the mechanism on how to enable the access control in the Web Service. Since SOAP is based on XML, the standard of XML also can be used on SOAP. XACML is the standard for access control of XML, so we can use XACML in the Web Service to enable the access control through the expanding of SOAP.There are three main entities in the typical access control, Subject, Resource and Action. Subject requests the permission for Action of Resource. In XACML, the target of policy is described as a set of attributes and their values, including Subject, Resource and Action. Comparing the value of attribute in the policy to the same attribute in the request, if match, we consider they are relative to each other. Then, the policy will be evaluated to decide whether to permit or not according to the pre-defined effect. Access control is divided into Discretionary Access Control, Mandatory Access Control and Role-based Access Control. Nowadays, the most widely used Access Control is the Role-based Access Control. OASIS issued 2.0 version of XACML RBAC Profile which makes XACML support the Role-based Access Control in January, 2005. It is a pity that this version just supports Core RBAC and Hierarchy RBAC, excluding Constrain RBAC.Based on this fact, the paper proposes a solution which tends to make XACML support Constrain RBAC through a deeply study on the theory and technology of Web Service and Access Control. Adding the expanding of the Header element of SOAP, it also forms a solution which supports the Constrain RBAC and makes up the defect of 2.0 version of XACML RBAC Profile which cannot do it, especially the Dynamic Separation of Duty of that. At the same time, the solution makes full use of XACML’s feature which includes such as deny permission and Obligations mechanism to achieve the Dynamic Separation of Duty easily and reliably. Besides, this solution applies the expanding XAML RBAC in Web Service and takes examples to explain that it is very easy to do so, as adding the Header element. In chapter 5, it uses Apache’s Axis2/Java and Sun XACML Implementation to realize the solution. In the end of this paper, it tested the realization to prove the correctness of the solution. |
PDF Full Text Request