A Policy-Based Authorization Framework for Web Services: Integrating X-GTRBAC and WS-Policy

Abstract

This chapter describes a policy-based authorization framework to apply fine-grained access control on Web services. The framework is designed as a profile of the well-known WS-Policy specification tailored to meet the access control requirements in Web services by integrating WS-Policy with an access control policy specification language, X-GTRBAC. The profile is aimed at bridging the gap between available policy standards for Web services and existing policy specification languages for access control. The profile supports the WS-Policy Attachment specification, which allows separate policies to be associated with multiple components of a Web service description, and one of our key contributions is an algorithm to compute the effective policy for the Web service given the multiple policy attachments. To allow Web service applications to use our solution, we have adopted a component-based design approach based on well-known UML notations. We have also prototyped our architecture in a loosely coupled Web services environment.