Skip to main content
SpringerLink
Log in

A Trust-Based Context-Aware Access Control Model for Web-Services

  • Published:
Distributed and Parallel Databases Aims and scope Submit manuscript

Abstract

A key challenge in Web services security is the design of effective access control schemes that can adequately meet the unique security challenges posed by the Web services paradigm. Despite the recent advances in Web based access control approaches applicable to Web services, there remain issues that impede the development of effective access control models for Web services environment. Amongst them are the lack of context-aware models for access control, and reliance on identity or capability-based access control schemes. Additionally, the unique service access control features required in Web services technology are not captured in existing schemes. In this paper, we motivate the design of an access control scheme that addresses these issues, and propose an extended, trust-enhanced version of our XML-based Role Based Access Control (X-RBAC) framework that incorporates trust and context into access control. We outline the configuration mechanism needed to apply our model to the Web services environment, and provide a service access control specification. The paper presents an example service access policy composed using our framework, and also describes the implementation architecture for the system.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Accenture Web Services Case Study. http://www.accenture.com/xd/xd.asp?it=enweb&xd=services\microsoft\case\micr_ergo.xml

  2. E. Bertino, S. Castano, and E. Ferrari, “Securing XML documents with Author X,” IEEE Internet Computing, May–June 2001.

  3. R. Bhatti, “X-GTRBAC: An XML-based policy specification framework and architecture for enterprise-wide access control,” Masters Thesis, Purdue University, May 2003. Available as CERIAS technical report 2003-27.

  4. R. Bhatti, J.B.D. Joshi, E. Bertino, and A. Ghafoor, “Access control in dynamic XML-based Web-services with X-RBAC,” in Proceedings of The First International Conference on Web Services, Las Vegas, June 23–26, 2003.

  5. R. Bhatti, J.B.D. Joshi, E. Bertino, and A. Ghafoor, “X GTRBAC admin: A decentralized administration model for enterprise wide access control,” in Proceedings of 9th ACM Symposium on Access Control Models and Technologies, New York, June 2–4, 2004.

  6. M. Blaze, J. Feigenbaum, J. Ioannidis, and A.D. Keromytis, “The KeyNote Trust Management System,” version 2. IETF RFC 2704, September 1999.

  7. E. Damiani, S.D.C. di Vimercati, S. Paraboschi, and P. Samarati, “A fine grained access control system for XML documents,” ACM Transactions on Information and System Security, vol. 5, Issue 2, May 2002.

  8. N. Dimmock, A. Belokosztolszki, D. Eyers, J. Bacon, and K. Moody, “Using trust and risk in role-based access control policies,” in Proceedings of 9th ACM Symposium on Access Control Models and Technologies, New York, June 2-4, 2004.

  9. D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli, “Proposed NIST standard for role-based access control,” ACM Transactions on Information and System Security (TISSEC), vol. 4, Issue 3, August 2001.

  10. S. Hada and M. Kudo, “XML access control language: Provisional authorization for XML documents,” Tokyo Research Laboratory, IBM Research, October 16, 2000.

  11. A. Herzberg, Y. Mass, J. Mihaeli, D. Naor, and Y. Ravid, “Access control meets public key infrastructure, or: Assigning roles to strangers,” in Proceedings of the 2000 IEEE Symposium on Security and Privacy, IEEE Press, 2000, pp. 2–14.

  12. J.B.D. Joshi, E. Bertino, U. Latif, and A. Ghafoor, “A Generalized Temporal Role Based Access Control Model,” IEEE Transaction on Knowledge and Data Engineering, vol. 17, no. 1, January 2005.

  13. N. Li, J.C. Mitchell, and W.H. Winsborough, “Design of a role-based trust management framework,” in Proceedings of the 2002 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 2002.

  14. T. Mitchell, “Machine Learning,” ISBN 0070428077, McGraw Hill, 1997.

  15. OASIS, Security Services TC. http://www.oasis-open.org/committees/tc_home.php?wg_abbrev = security

  16. R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role based access control models,” IEEE Computer, vol. 29, no. 2, February 1996.

  17. Security in a Web services world: A proposed architecture and roadmap http://www106.ibm.com/ developerworks/securiy/library/ws-secmap/

  18. N.N. Vuong, G.S. Smith, and Y. Deng, “Managing security policies in a distributed environment using extensible markup language (XML),” Symposium on Applied Computing, March 2001.

  19. XACML 1.0 Specification. http://xml.coverpages.org/ni2003-02-11-a.html.

  20. X. Zhang, J. Park, and R. Sandhu, “Schema based XML security: RBAC approach,” IFIP WG 11.3 2003.

Download references

Author information

Authors and Affiliations

  1. School of Electrical & Computer Engineering, Purdue University, West Lafayette, IN

    Rafae Bhatti & Arif Ghafoor

  2. CERIAS and Department of Computer Sciences, Purdue University, West Lafayette, IN

    Elisa Bertino

Authors
  1. Rafae Bhatti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elisa Bertino
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Arif Ghafoor
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rafae Bhatti.

Additional information

This is an extended version of the paper that has been presented at the 3rd International Conference on Web Services (ICWS), San Diego, 6–9 July 2004.

Recommended by: Athman Bouguettaya and Boualem Benatallah

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bhatti, R., Bertino, E. & Ghafoor, A. A Trust-Based Context-Aware Access Control Model for Web-Services. Distrib Parallel Databases 18, 83–105 (2005). https://doi.org/10.1007/s10619-005-1075-7

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10619-005-1075-7

Keywords

Search

Navigation