This Article 
 Bibliographic References 
 Add to: 
Security Policy Composition for Composite Web Services
October-December 2011 (vol. 4 no. 4)
pp. 314-327
Fumiko Satoh, IBM Research - Tokyo, Japan
Takehiro Tokuda, Tokyo Institute of Technology, Meguro
An application based on the Service-Oriented Architecture (SOA) consists of an assembly of services, which is referred to as a composite service. A composite service can be implemented from other composite services, and hence, the application could have a recursive structure. Securing an SOA application is an important nonfunctional requirement. However, specifying a security policy for a composite service is not easy because the policy should be consistent with the policies of the external services invoked in the composite process. Therefore, this paper proposes a security policy composition mechanism that uses the existing policies of the external services. Our contribution is defining the process-independent policy composition rules and providing a method for semiautomatically creating a security policy of the composite service. Our method supports two approaches of policy composition: top-down and bottom-up. Our study makes it possible to verify the consistency of the policies without increasing a developer's workload, even if the composite service has a recursive structure.

[1] Web Services Business Process Execution Language Version 2.0, wsbpel-v2.0-OS. html, 2011.
[2] C. Tziviskou and E.D. Nitto, "Logic-Based Management of Security in Web Services," Proc. IEEE Int'l Conf. Service Computing (SCC '07), pp. 228-235, 2007.
[3] A.J. Lee, J.P. Boyer, L.E. Olson, and C.A. Gunter, "Defeasible Security Policy Composition for Web Services," Proc. Fourth ACM Workshop Formal Methods in Security (FMSE '06), pp. 45-54, 2006.
[4] Web Services Interoperability Organization (WS-I), http:/, 2011.
[5] WS-I, Supply Chain Management, deliverables, 2011.
[6] Eclipse BPEL Project, http://www.eclipse.orgbpel, 2011.
[7] WebSphere Integration Developer, software/integration wid, 2011.
[8] Web Services Security: SOAP Message Security 1.1, 16790 wss-v1.1-spec-os-SOAPMessageSecurity.pdf , 2011.
[9] WS-SecurityPolicy 1.2, 23821ws-securitypolicy-1.2-spec-cs.pdf , 2011.
[10] Web Services Policy 1.5—Attachment, , 2011.
[11] K. Bhargavan, C. Fournet, and A.D. Gordon, "Verifying Policy-Based Security for Web Services," Proc. 11th ACM Conf. Computer and Comm. Security, pp. 268-277, 1992.
[12] Y.H. Li, H. Paik, B. Benatallah, and S. Benbernou, "Formal Consistency Verification between BPEL Process and Privacy Policy," Proc. Int'l Conf. Privacy Security and Trust Conf.: Bridge the Gap between PST Technologies and Business Services (PST '06), 2006.
[13] D.D. He and J. Yang, "Security Policy Specification and Integration in Business Collaboration," Proc. IEEE Int'l Conf. Service Computing (SCC '07), pp. 20-27. 2007.
[14] M. Srivatsa, A. Iyengar, T. Mikalsen, I. Rouvellou, and J. Yin, "An Access Control System for Web Service Compositions," Proc. IEEE Int'l Conf. Web Services (ICWS '07), pp. 1-8, 2007.
[15] A. Charfi and M. Mezini, "Using Aspects for Security Engineering of Web Service Compositions," Proc. IEEE Int'l Conf. Web Services (ICWS '05), pp. 59-66, 2005.
[16] eXtensible Access Control Markup Language (XACML) Version 2.0, , 2011.
[17] F. Satoh and T. Tokuda, "Security Policy Composition for Composite Services," Proc. Int'l Conf. Web Eng., pp. 86-97, 2008.
[18] C. Nentwich, W. Emmerich, A. Finkelstein, and E. Ellmer, "Flexible Consistency Checking," ACM Trans. Software Eng. and Methodology, vol. 12, no. 1, pp. 28-63, 2003.
[19] H.J. Wang and M. Yuan, "Predicate Logic and Its Application in Workflow Security Policy Management," http://math.arizona. edu/~ksimicming.doc , 2005.
[20] J.Y. Halpern and V. Weissman, "Using First-Order Logic to Reason about Policies," Proc. 16th IEEE Computer Security Foundations Workshop, pp. 187-201, 2003.
[21] J. Glasgow, G. Macewen, and P. Panangaden, "A Logic for Reasoning about Security," ACM Trans. Computer Systems, vol. 10, no. 3, pp. 226-264, 1992.

Index Terms:
Composite web services, quality of service.
Fumiko Satoh, Takehiro Tokuda, "Security Policy Composition for Composite Web Services," IEEE Transactions on Services Computing, vol. 4, no. 4, pp. 314-327, Oct.-Dec. 2011, doi:10.1109/TSC.2010.40
Usage of this product signifies your acceptance of the Terms of Use.