By Topic

A Policy-Based Authorization Framework for Web Services: Integrating XGTRBAC and WS-Policy

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

4 Author(s)

Authorization and access control in Web services is complicated by the unique requirements of the dynamic Web services paradigm. Current authentication mechanisms for Web services do not differentiate between users in terms of fine-grained access privileges. This results in an all-or-nothing access which is not flexible enough for modern day business processes using Web services to execute. In this paper, we present a policy-based authorization framework to address this requirement. We have designed a profile of the well-known WS-policy specification tailored to meet the access control requirements in Web services by integrating WS-policy with an access control policy specification language, X-GTRBAC. The design of the profile is aimed at bridging the gap between available policy standards for Web services and existing policy specification languages for access control. The profile supports the WS-policy attachment specification, which allows separate policies to be associated with multiple components of a Web service description, and one of our key contributions is the design of an algorithm to compute the effective policy for the Web service given the multiple policy attachments. To allow Web service applications to use our solution, we have adopted a component-based design approach based on well-known UML notations. We have also prototyped our architecture, and implemented it as a loosely coupled Web service providing healthcare information services to physicians subject to applicable authorization policies.

Published in:

Web Services, 2007. ICWS 2007. IEEE International Conference on

Date of Conference:

9-13 July 2007