The Community for Technology Leaders
RSS Icon
Issue No.02 - April-June (2011 vol.4)
pp: 96-109
Sabrina De Capitani di Vimercati , Università degli Studi di Milano, Crema
Stefano Paraboschi , Università degli Studi di Bergamo, Dalmine
Eros Pedrini , Università degli Studi di Milano, Crema
Pierangela Samarati , Università degli Studi di Milano, Crema
Claudio A. Ardagna , Università degli Studi di Milano, Crema
Traditional access control solutions, based on preliminary identification and authentication of the access requester, are not adequate for the context of open web service systems, where servers generally do not have prior knowledge of the requesters. The research community has acknowledged such a paradigm shift and several investigations have been carried out for new approaches to regulate access control in open dynamic settings. Typically based on logic, such approaches, while appealing for their expressiveness, result not applicable in practice, where simplicity, efficiency, and consistency with consolidated technology are crucial. The eXtensible Access Control Markup Language (XACML) has established itself as the emerging technological solution for controlling access in an interoperable and flexible way. Although supporting the most common policy representation mechanisms and having acquired a significant spread in the research community and the industry, XACML still suffers from some limitations which impact its ability to support actual requirements of open web-based systems. In this paper, we provide a simple and effective formalization of novel concepts that have to be supported for enforcing the new access control paradigm needed in open scenarios, toward the aim of providing an expressive solution actually deployable with today's technology. We illustrate how the concepts of our model can be deployed in the XACML standard by exploiting its extension points for the definition of new functions, and introducing a dialog management framework to enable access control interactions between web service clients and servers.
Deployable access control, web services, credentials, security policy communication, XACML.
Sabrina De Capitani di Vimercati, Stefano Paraboschi, Eros Pedrini, Pierangela Samarati, Claudio A. Ardagna, "Expressive and Deployable Access Control in Open Web Service Applications", IEEE Transactions on Services Computing, vol.4, no. 2, pp. 96-109, April-June 2011, doi:10.1109/TSC.2010.29
[1] T. Moses, eXtensible Access Control Markup Language (XACML) Version 2.0, OASIS, 2005.
[2] A. Anderson and H. Lockhart, SAML 2.0 Profile of XACML, OASIS, Sept. 2004.
[3] C. Ardagna, J. Camenisch, M. Kohlweiss, R. Leenes, G. Neven, B. Priem, P. Samarati, D. Sommer, and M. Verdicchio, "Exploiting Cryptography for Privacy-Enhanced Access Control: A Result of the Prime Project," J. Computer Security, vol. 18, no. 1, pp. 123-160, 2010.
[4] J. Camenisch and A. Lysyanskaya, "An Efficient System for Non-Transferable Anonymous Credentials with Optional Anonymity Revocation," Proc. Int'l Conf. the Theory and Application of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '01), May 2001.
[5] S. Boag et al., XQuery 1.0: An XML Query Language, World Wide Web Consortium (W3C) recommendation, 2007.
[6] P. Bonatti and P. Samarati, "A Unified Framework for Regulating Access and Information Release on the Web," J. Computer Security, vol. 10, no. 3, pp. 241-272, 2002.
[7] K. Irwin and T. Yu, "Preventing Attribute Information Leakage in Automated Trust Negotiation," Proc. ACM Conf. Computer and Comm. Security (CCS '05), Nov. 2005.
[8] S. Jajodia, P. Samarati, M. Sapino, and V. Subrahmanian, "Flexible Support for Multiple Access Control Policies," ACM Trans. Database Systems, vol. 26, no. 2, pp. 214-260, June 2001.
[9] M. Winslett, N. Ching, V. Jones, and I. Slepchin, "Assuring Security and Privacy for Digital Library Transactions on the Web: Client and Server Security Policies," Proc. IEEE Int'l Forum on Research and Technology Advances in Digital Libraries (ADL '97), May 1997.
[10] T. Yu, M. Winslett, and K. Seamons, "Supporting Structured Credentials and Sensitive Policies Through Interoperable Strategies for Automated Trust," ACM Trans. Information and System Security, vol. 6, no. 1, pp. 1-42, Feb. 2003.
[11] P. Bonatti and D. Olmedilla, "Driving and Monitoring Provisional Trust Negotiation with Metapolicies," Proc. IEEE Int'l Workshop Policies for Distributed Systems and Networks (POLICY '05), June 2005.
[12] K. Seamons, M. Winslett, and T. Yu, "Limiting the Disclosure of Access Control Policies during Automated Trust Negotiation," Proc. Network and Distributed System Security Symp. (NDSS '01), Apr. 2001.
[13] C. Ardagna, M. Cremonini, S. De Capitani di Vimercati, and P. Samarati, "A Privacy-Aware Access Control System," J. Computer Security, vol. 16, no. 4, pp. 369-392, 2008.
[14] V. Cheng, P. Hung, and D. Chiu, "Enabling Web Services Policy Negotiation with Privacy Preserved Using XACML," Proc. Ann. Hawaii Int'l Conf. System Sciences (HICSS '07), Jan. 2007.
[15] D. Haidar, N. Cuppens, F. Cuppens, and H. Debar, "XeNA: An Access Negotiation Framework Using XACML," Annals of Telecomm., vol. 64, nos. 1/2, pp. 155-169, Jan. 2009.
[16] U. Mbanaso, G. Cooper, D. Chadwick, and S. Proctor, "Privacy Preserving Trust Authorization Framework Using XACML," Proc. Int'l Symp. World of Wireless, Mobile and Multimedia Networks (WOWMOM '06), June 2006.
[17] D. Chadwick, S. Otenko, and T. Nguyen, "Adding Support to XACML for Dynamic Delegation of Authority in Multiple Domains," Proc. Comm. and Multimedia Security (CMS '06), Oct. 2006.
[18] O.X.T. Committee, Web Services Profile of XACML (WS-XACML) Version 1.0, OASIS, 2006.
[19] O.W.T. Committee, Web Services Security: SOAP Message Security 1.1 (WS-Security '04), OASIS, 2006.
[20] P. Ashley, S. Hada, G. Karjoth, C. Powers, and M. Schunter, "Enterprise Privacy Authorization Language (EPAL)," Research Report RZ 3485, IBM Research, Mar. 2003.
[21] A. Anderson, A Comparison of Two Privacy Policy Languages: EPAL and XACML, Sun Microsystems, 2005.
[22] A. Singhal, T. Winograd, and K. Scarfone, Guide to Secure Web Services. Recommendations of the Nat'l Inst. of Standards and Technology, Nat'l Inst. of Standards and Technology, Special Publication, pp. 800-95, 2007.
[23] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "Controlling Access to XML Documents," IEEE Internet Computing, vol. 5, no. 6, pp. 18-28, Nov./Dec. 2001.
[24] E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "A Fine-Grained Access Control System for XML Documents," ACM Trans. Information and System Security, vol. 5, no. 2, pp. 169-202, May 2002.
[25] C. Farkas and M. Huhns, "Securing Enterprise Applications: Service-oriented Security (SOS)," Proc. IEEE Conf. E-Commerce Technology and IEEE Conf. Enterprise Computing, E-Commerce and E-Services (CEC/EEE '08), July 2008.
[26] C. Gutierrez, E. Fernandez-Medina, and M. Piattini, "A Survey of Web Services Security," Proc. Int'l Conf. Computational Science and Its Applications (ICCSA '04), May 2004.
[27] P. Belsis, S. Gritzalis, C. Skourlas, and V. Tsoukalas, "Design and Implementation of Distributed Access Control Infrastructures for Federations of Autonomous Domains," Proc. Int'l Conf. Trust, Privacy and Security in Digital Business (TrustBus '07), Sept. 2007.
[28] M. Murata, A. Tozawa, M. Kudo, and S. Hada, "XML Access Control Using Static Analysis," ACM Trans. Information and System Security, vol. 9, no. 3, pp. 292-324, Aug. 2006.
39 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool