Issue No.02 - April-June (2011 vol.4)
Sabrina De Capitani di Vimercati , Università degli Studi di Milano, Crema
Stefano Paraboschi , Università degli Studi di Bergamo, Dalmine
Eros Pedrini , Università degli Studi di Milano, Crema
Pierangela Samarati , Università degli Studi di Milano, Crema
Claudio A. Ardagna , Università degli Studi di Milano, Crema
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TSC.2010.29
Traditional access control solutions, based on preliminary identification and authentication of the access requester, are not adequate for the context of open web service systems, where servers generally do not have prior knowledge of the requesters. The research community has acknowledged such a paradigm shift and several investigations have been carried out for new approaches to regulate access control in open dynamic settings. Typically based on logic, such approaches, while appealing for their expressiveness, result not applicable in practice, where simplicity, efficiency, and consistency with consolidated technology are crucial. The eXtensible Access Control Markup Language (XACML) has established itself as the emerging technological solution for controlling access in an interoperable and flexible way. Although supporting the most common policy representation mechanisms and having acquired a significant spread in the research community and the industry, XACML still suffers from some limitations which impact its ability to support actual requirements of open web-based systems. In this paper, we provide a simple and effective formalization of novel concepts that have to be supported for enforcing the new access control paradigm needed in open scenarios, toward the aim of providing an expressive solution actually deployable with today's technology. We illustrate how the concepts of our model can be deployed in the XACML standard by exploiting its extension points for the definition of new functions, and introducing a dialog management framework to enable access control interactions between web service clients and servers.
Deployable access control, web services, credentials, security policy communication, XACML.
Sabrina De Capitani di Vimercati, Stefano Paraboschi, Eros Pedrini, Pierangela Samarati, Claudio A. Ardagna, "Expressive and Deployable Access Control in Open Web Service Applications", IEEE Transactions on Services Computing, vol.4, no. 2, pp. 96-109, April-June 2011, doi:10.1109/TSC.2010.29