The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.04 - October-December (2011 vol.4)
pp: 314-327
Fumiko Satoh , IBM Research - Tokyo, Japan
Takehiro Tokuda , Tokyo Institute of Technology, Meguro
ABSTRACT
An application based on the Service-Oriented Architecture (SOA) consists of an assembly of services, which is referred to as a composite service. A composite service can be implemented from other composite services, and hence, the application could have a recursive structure. Securing an SOA application is an important nonfunctional requirement. However, specifying a security policy for a composite service is not easy because the policy should be consistent with the policies of the external services invoked in the composite process. Therefore, this paper proposes a security policy composition mechanism that uses the existing policies of the external services. Our contribution is defining the process-independent policy composition rules and providing a method for semiautomatically creating a security policy of the composite service. Our method supports two approaches of policy composition: top-down and bottom-up. Our study makes it possible to verify the consistency of the policies without increasing a developer's workload, even if the composite service has a recursive structure.
INDEX TERMS
Composite web services, quality of service.
CITATION
Fumiko Satoh, Takehiro Tokuda, "Security Policy Composition for Composite Web Services", IEEE Transactions on Services Computing, vol.4, no. 4, pp. 314-327, October-December 2011, doi:10.1109/TSC.2010.40
REFERENCES
[1] Web Services Business Process Execution Language Version 2.0, http://docs.oasis-open.org/wsbpel/2.0/OS wsbpel-v2.0-OS. html, 2011.
[2] C. Tziviskou and E.D. Nitto, "Logic-Based Management of Security in Web Services," Proc. IEEE Int'l Conf. Service Computing (SCC '07), pp. 228-235, 2007.
[3] A.J. Lee, J.P. Boyer, L.E. Olson, and C.A. Gunter, "Defeasible Security Policy Composition for Web Services," Proc. Fourth ACM Workshop Formal Methods in Security (FMSE '06), pp. 45-54, 2006.
[4] Web Services Interoperability Organization (WS-I), http:/www.ws-i.org, 2011.
[5] WS-I, Supply Chain Management, http://www.ws-i.org deliverables, 2011.
[6] Eclipse BPEL Project, http://www.eclipse.orgbpel, 2011.
[7] WebSphere Integration Developer, http://www.ibm.com/ software/integration wid, 2011.
[8] Web Services Security: SOAP Message Security 1.1, http://www.oasis-open.org/committees/download.php/ 16790 wss-v1.1-spec-os-SOAPMessageSecurity.pdf , 2011.
[9] WS-SecurityPolicy 1.2, http://www.oasis-open.org/committees/download.php/ 23821ws-securitypolicy-1.2-spec-cs.pdf , 2011.
[10] Web Services Policy 1.5—Attachment, http://www.w3.org/TR/2007REC-ws-policy-attach-20070904 , 2011.
[11] K. Bhargavan, C. Fournet, and A.D. Gordon, "Verifying Policy-Based Security for Web Services," Proc. 11th ACM Conf. Computer and Comm. Security, pp. 268-277, 1992.
[12] Y.H. Li, H. Paik, B. Benatallah, and S. Benbernou, "Formal Consistency Verification between BPEL Process and Privacy Policy," Proc. Int'l Conf. Privacy Security and Trust Conf.: Bridge the Gap between PST Technologies and Business Services (PST '06), 2006.
[13] D.D. He and J. Yang, "Security Policy Specification and Integration in Business Collaboration," Proc. IEEE Int'l Conf. Service Computing (SCC '07), pp. 20-27. 2007.
[14] M. Srivatsa, A. Iyengar, T. Mikalsen, I. Rouvellou, and J. Yin, "An Access Control System for Web Service Compositions," Proc. IEEE Int'l Conf. Web Services (ICWS '07), pp. 1-8, 2007.
[15] A. Charfi and M. Mezini, "Using Aspects for Security Engineering of Web Service Compositions," Proc. IEEE Int'l Conf. Web Services (ICWS '05), pp. 59-66, 2005.
[16] eXtensible Access Control Markup Language (XACML) Version 2.0, http://docs.oasis-open.org/xacml/2.0access_control-xacml-2.0-core-spec-os.pdf , 2011.
[17] F. Satoh and T. Tokuda, "Security Policy Composition for Composite Services," Proc. Int'l Conf. Web Eng., pp. 86-97, 2008.
[18] C. Nentwich, W. Emmerich, A. Finkelstein, and E. Ellmer, "Flexible Consistency Checking," ACM Trans. Software Eng. and Methodology, vol. 12, no. 1, pp. 28-63, 2003.
[19] H.J. Wang and M. Yuan, "Predicate Logic and Its Application in Workflow Security Policy Management," http://math.arizona. edu/~ksimicming.doc , 2005.
[20] J.Y. Halpern and V. Weissman, "Using First-Order Logic to Reason about Policies," Proc. 16th IEEE Computer Security Foundations Workshop, pp. 187-201, 2003.
[21] J. Glasgow, G. Macewen, and P. Panangaden, "A Logic for Reasoning about Security," ACM Trans. Computer Systems, vol. 10, no. 3, pp. 226-264, 1992.
20 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool