Expressive and Deployable Access Control in Open Web Service Applications

Claudio A. Ardagna; Eros Pedrini; Pierangela Samarati; Sabrina De Capitani di Vimercati; Stefano Paraboschi; Mario Verdicchio

doi:10.1109/TSC.2010.29

Publication
2011
Issue No. 2 - April-June
Abstract - Expressive and Deployable Access Control in Open Web Service Applications

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Claudio A. Ardagna Articles by Sabrina De Capitani di Vimercati Articles by Stefano Paraboschi Articles by Eros Pedrini Articles by Pierangela Samarati Articles by Mario Verdicchio

Expressive and Deployable Access Control in Open Web Service Applications

April-June 2011 (vol. 4 no. 2)

pp. 96-109

	ASCII Text	x
	Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Stefano Paraboschi, Eros Pedrini, Pierangela Samarati, Mario Verdicchio, "Expressive and Deployable Access Control in Open Web Service Applications," IEEE Transactions on Services Computing, vol. 4, no. 2, pp. 96-109, April-June, 2011.

	BibTex	x
	@article{ 10.1109/TSC.2010.29, author = {Claudio A. Ardagna and Sabrina De Capitani di Vimercati and Stefano Paraboschi and Eros Pedrini and Pierangela Samarati and Mario Verdicchio}, title = {Expressive and Deployable Access Control in Open Web Service Applications}, journal ={IEEE Transactions on Services Computing}, volume = {4}, number = {2}, issn = {1939-1374}, year = {2011}, pages = {96-109}, doi = {http://doi.ieeecomputersociety.org/10.1109/TSC.2010.29}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Services Computing TI - Expressive and Deployable Access Control in Open Web Service Applications IS - 2 SN - 1939-1374 SP96 EP109 EPD - 96-109 A1 - Claudio A. Ardagna, A1 - Sabrina De Capitani di Vimercati, A1 - Stefano Paraboschi, A1 - Eros Pedrini, A1 - Pierangela Samarati, A1 - Mario Verdicchio, PY - 2011 KW - Deployable access control KW - web services KW - credentials KW - security policy communication KW - XACML. VL - 4 JA - IEEE Transactions on Services Computing ER -

Claudio A. Ardagna, Università degli Studi di Milano, Crema

Sabrina De Capitani di Vimercati, Università degli Studi di Milano, Crema

Stefano Paraboschi, Università degli Studi di Bergamo, Dalmine

Eros Pedrini, Università degli Studi di Milano, Crema

Pierangela Samarati, Università degli Studi di Milano, Crema

Mario Verdicchio, Università degli Studi di Bergamo, Dalmine

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TSC.2010.29

Traditional access control solutions, based on preliminary identification and authentication of the access requester, are not adequate for the context of open web service systems, where servers generally do not have prior knowledge of the requesters. The research community has acknowledged such a paradigm shift and several investigations have been carried out for new approaches to regulate access control in open dynamic settings. Typically based on logic, such approaches, while appealing for their expressiveness, result not applicable in practice, where simplicity, efficiency, and consistency with consolidated technology are crucial. The eXtensible Access Control Markup Language (XACML) has established itself as the emerging technological solution for controlling access in an interoperable and flexible way. Although supporting the most common policy representation mechanisms and having acquired a significant spread in the research community and the industry, XACML still suffers from some limitations which impact its ability to support actual requirements of open web-based systems. In this paper, we provide a simple and effective formalization of novel concepts that have to be supported for enforcing the new access control paradigm needed in open scenarios, toward the aim of providing an expressive solution actually deployable with today's technology. We illustrate how the concepts of our model can be deployed in the XACML standard by exploiting its extension points for the definition of new functions, and introducing a dialog management framework to enable access control interactions between web service clients and servers.

[1] T. Moses, eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS, 2005.
[2] A. Anderson and H. Lockhart, SAML 2.0 Profile of XACML, OASIS, Sept. 2004.
[3] C. Ardagna, J. Camenisch, M. Kohlweiss, R. Leenes, G. Neven, B. Priem, P. Samarati, D. Sommer, and M. Verdicchio, "Exploiting Cryptography for Privacy-Enhanced Access Control: A Result of the Prime Project," J. Computer Security, vol. 18, no. 1, pp. 123-160, 2010.
[4] J. Camenisch and A. Lysyanskaya, "An Efficient System for Non-Transferable Anonymous Credentials with Optional Anonymity Revocation," Proc. Int'l Conf. the Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '01), May 2001.
[5] S. Boag et al., XQuery 1.0: An XML Query Language, World Wide Web Consortium (W3C) recommendation, 2007.
[6] P. Bonatti and P. Samarati, "A Unified Framework for Regulating Access and Information Release on the Web," J. Computer Security, vol. 10, no. 3, pp. 241-272, 2002.
[7] K. Irwin and T. Yu, "Preventing Attribute Information Leakage in Automated Trust Negotiation," Proc. ACM Conf. Computer and Comm. Security (CCS '05), Nov. 2005.
[8] S. Jajodia, P. Samarati, M. Sapino, and V. Subrahmanian, "Flexible Support for Multiple Access Control Policies," ACM Trans. Database Systems, vol. 26, no. 2, pp. 214-260, June 2001.
[9] M. Winslett, N. Ching, V. Jones, and I. Slepchin, "Assuring Security and Privacy for Digital Library Transactions on the Web: Client and Server Security Policies," Proc. IEEE Int'l Forum on Research and Technology Advances in Digital Libraries (ADL '97), May 1997.
[10] T. Yu, M. Winslett, and K. Seamons, "Supporting Structured Credentials and Sensitive Policies Through Interoperable Strategies for Automated Trust," ACM Trans. Information and System Security, vol. 6, no. 1, pp. 1-42, Feb. 2003.
[11] P. Bonatti and D. Olmedilla, "Driving and Monitoring Provisional Trust Negotiation with Metapolicies," Proc. IEEE Int'l Workshop Policies for Distributed Systems and Networks (POLICY '05), June 2005.
[12] K. Seamons, M. Winslett, and T. Yu, "Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation," Proc. Network and Distributed System Security Symp. (NDSS '01), Apr. 2001.
[13] C. Ardagna, M. Cremonini, S. De Capitani di Vimercati, and P. Samarati, "A Privacy-Aware Access Control System," J. Computer Security, vol. 16, no. 4, pp. 369-392, 2008.
[14] V. Cheng, P. Hung, and D. Chiu, "Enabling Web Services Policy Negotiation with Privacy Preserved Using XACML," Proc. Ann. Hawaii Int'l Conf. System Sciences (HICSS '07), Jan. 2007.
[15] D. Haidar, N. Cuppens, F. Cuppens, and H. Debar, "XeNA: An Access Negotiation Framework Using XACML," Annals of Telecomm., vol. 64, nos. 1/2, pp. 155-169, Jan. 2009.
[16] U. Mbanaso, G. Cooper, D. Chadwick, and S. Proctor, "Privacy Preserving Trust Authorization Framework Using XACML," Proc. Int'l Symp. World of Wireless, Mobile and Multimedia Networks (WOWMOM '06), June 2006.
[17] D. Chadwick, S. Otenko, and T. Nguyen, "Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains," Proc. Comm. and Multimedia Security (CMS '06), Oct. 2006.
[18] O.X.T. Committee, Web Services Profile of XACML (WS-XACML) Version 1.0, OASIS, 2006.
[19] O.W.T. Committee, Web Services Security: SOAP Message Security 1.1 (WS-Security '04), OASIS, 2006.
[20] P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter, "Enterprise Privacy Authorization Language (EPAL)," Research Report RZ 3485, IBM Research, Mar. 2003.
[21] A. Anderson, A Comparison of Two Privacy Policy Languages: EPAL and XACML, Sun Microsystems, 2005.
[22] A. Singhal, T. Winograd, and K. Scarfone, Guide to Secure Web Services. Recommendations of the Nat'l Inst. of Standards and Technology, Nat'l Inst. of Standards and Technology, Special Publication, pp. 800-95, 2007.
[23] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "Controlling Access to XML Documents," IEEE Internet Computing, vol. 5, no. 6, pp. 18-28, Nov./Dec. 2001.
[24] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "A Fine-Grained Access Control System for XML Documents," ACM Trans. Information and System Security, vol. 5, no. 2, pp. 169-202, May 2002.
[25] C. Farkas and M. Huhns, "Securing Enterprise Applications: Service-oriented Security (SOS)," Proc. IEEE Conf. E-Commerce Technology and IEEE Conf. Enterprise Computing, E-Commerce and E-Services (CEC/EEE '08), July 2008.
[26] C. Gutierrez, E. Fernandez-Medina, and M. Piattini, "A Survey of Web Services Security," Proc. Int'l Conf. Computational Science and Its Applications (ICCSA '04), May 2004.
[27] P. Belsis, S. Gritzalis, C. Skourlas, and V. Tsoukalas, "Design and Implementation of Distributed Access Control Infrastructures for Federations of Autonomous Domains," Proc. Int'l Conf. Trust, Privacy and Security in Digital Business (TrustBus '07), Sept. 2007.
[28] M. Murata, A. Tozawa, M. Kudo, and S. Hada, "XML Access Control Using Static Analysis," ACM Trans. Information and System Security, vol. 9, no. 3, pp. 292-324, Aug. 2006.

Index Terms:

Deployable access control, web services, credentials, security policy communication, XACML.

Citation:

Claudio A. Ardagna, Sabrina De Capitani di Vimercati, Stefano Paraboschi, Eros Pedrini, Pierangela Samarati, Mario Verdicchio, "Expressive and Deployable Access Control in Open Web Service Applications," IEEE Transactions on Services Computing, vol. 4, no. 2, pp. 96-109, April-June 2011, doi:10.1109/TSC.2010.29

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.