Research On Web Services Access Control Technology In SOA Multi-domain Environment

SOA is emerging software architecture. It provides convenient method to achievemulti-domain heterogeneous information system integration. Web services are the mainstreamway to achieve SOA. How to provide efficient access control protection to Web services in theSOA multi-domain environment, combining its autonomy, cross-platform and dynamiccharacteristics, is a challenging task. Therefore, in this dissertation, we carry out in-depthresearch on the problem of access control for Web services in SOA multi-domain environment.The main contribution of this dissertation includes the following aspects.1. The attribute-based composite Web service access control model CWS-ABAC is putforward, according to the access control requirements for Web services in SOA multi-domainenvironments. CWS-ABAC model integrates the characteristics of attribute-based access controlmodel which supports dynamic, fine-grained access control, and it introduces servicescomposition and access control policy composition relation. So, the dynamic and fine-grainedaccess control for composite services is realized. The basic elements, relations, constraint rulesand basic operations are formally defined in the model. The access control policy descriptionmethod of the model is put forward. The characteristics and safety analysis show thatCWS-ABAC model has good flexibility and scalability. The model can also meet the securityprinciples of least privilege and separation of duty.2. In order to accurately express the access control policy composition relation amongcomponent services of composite services in CWS-ABAC model, the composite Web servicesaccess control policy composition algebra is proposed. The policy composition algebra can notonly express the policy composition relation of three-value policy that contains Permit, Deny,NotApplicable evaluating results, but also can express the policy composition relation offour-value policy that contain additional Indeterminate evaluating result. The functionalsemantics of policy composition operators are deeply researched and precisely defined bypolicy composition matrix. The completeness of policy composition algebra is proved withmathematical induction indicating that this policy composition algebra having strongest expressability to express policy composition relation. Finally, the method, which uses policycomposition algebra to express composite services access control policy composition relationaccording to services composition relation, is put forward.3. The multi-terminal binary decision diagram based composite services access controlpolicy generation methodology is proposed, aiming at solving the tough problem of generatingcomposite policy from access control policy composition relation. Fistly, the methodology abstracts attribute-based four-value access control policy into pseudo-Boolean function and usethe multi-terminal binary decision diagram to express the pseudo-Boolean function. Secondly,the access control policy multi-terminal binary decision diagram composition algorithm isproposed according to the functional semantic of policy composition operator and the principleof multi-terminal binary decision diagram composition. So, the composition of access controlpolicy multi-terminal binary decision diagram is implemented. Finally, the method oftransforming the composite access control policy multi-terminal binary decision diagram intoactual access control policy is proposed. So, the composite access control policy is generated.The example analysis shows that this methodology can effectively realize composite servicesaccess control policy composition.4. Based on the former research achievements, an access control policy implementationframework suiting for CWS-ABAC model is designed. This framework consists of key modules,such as attribute management system, message security processing systems, policy compositionengine and access control systems, and it can support both real time and no-real-time workmodes. In order to protect inter-domain access control information interaction, the inter-domainauthentication protocol is proposed combining the thinking of the DH key exchange protocol andpublic key challenge response protocol. The protocol security analysis is conducted with SVOlogic, and the analysis result indicates that the protocol achieves the expected security goals.