Web services over the Internet are widely used nowadays. Controlling access in Web services environment is crucial and a significant challenge because this environment is more dynamic and heterogeneous. Compared with the existing models, attribute-based access control is more appropriate for Web services, but it do not fully exploit the semantic power and reasoning capabilities of emerging web applications. To address these issues, a semantic and attribute-based access control framework (S_ABAC) is presented by combining the attribute-based access control with semantic-based access control in this paper. By extending the eXtensible Access Control Markup Language architecture and representing semantically the resources and users attributes with ontology, S_ABAC can realize semantic and attribute-based access control, and can also provide administratively scalable alternative and semantic interoperability. In the prototype implementation, S_ABAC uses Shibboleth service to address the disclosure issue of the sensitive attributes and also separates ontology management from access management.