Lorenzo D. Martino

Object-oriented database management systems: concepts and issues

Requirements imposed on both the object data model and object management by the support of complex objects are outlined. The basic concepts of an object-oriented data model are discussed. They are objects and object identifiers, aggregation, classes and instantiation mechanisms, metaclasses, and inheritance. Object-oriented models are compared with semantic, relational, and Codasyl models. Object-oriented query languages and query processing are considered. Some operational aspects of data management in object-oriented systems are examined. Schema evolution is discussed.<<ETX>>

Ws-AC: A Fine Grained Access Control System for Web Services

The emerging Web service technology has enabled the development of Internet-based applications that integrate distributed and heterogeneous systems and processes which are owned by different organizations. However, while Web services are rapidly becoming a fundamental paradigm for the development of complex Web applications, several security issues still need to be addressed. Among the various open issues concerning security, an important issue is represented by the development of suitable access control models, able to restrict access to Web services to authorized users. In this paper we present an innovative access control model for Web services. The model is characterized by a number of key features, including identity attributes and service negotiation capabilities. We formally define the protocol for carrying on negotiations, by specifying the types of message to be exchanged and their contents, based on which requestor and provider can reach an agreement about security requirements and services. We also discuss the architecture of the prototype we are currently implementing. As part of the architecture we propose a mechanism for mapping our policies onto the WS-Policy standard which provides a standardized grammar for expressing Web services policies.

Challenges of Testing Web Services and Security in SOA Implementations

The World Wide Web is evolving into a medium providing a wide array of e-commerce, business-to-business, business-to-consumer, and other information-based services. In Service Oriented Architecture (SOA) technology, Web Services are emerging as the enabling technology that bridges decoupled systems across various platforms, programming languages, and applications.

An Adaptive Access Control Model for Web Services

This paper presents an innovative access control model, referred to as Web service Access Control Version 1 (Ws-AC1), specifically tailored to Web services. The most distinguishing features of this model are the flexible granularity in protection objects and negotiation capabilities. Under Ws-AC1, an authorization can be associated with a single service and can specify for which parameter values the service can be authorized for use, thus providing a fine access control granularity. Ws-AC1 also supports coarse granularities in protection objects in that it provides the notion of service class under which several services can be grouped. Authorizations can then be associated with a service class and automatically propagated to each element in the class. The negotiation capabilities of Ws-AC1 are related to the negotiation of identity attributes and the service parameters. Identity attributes refer to information that a party requesting a service may need to submit in order to obtain the service. The access control policy model of Ws-AC1 supports the specification of policies in which conditions are stated, specifying the identity attributes to be provided and constraints on their values. In addition, conditions may also be specified against context parameters, such as time. To enhance privacy and security, the actual submission of these identity attributes is executed through a negotiation process. Parameters may also be negotiated when a subject requires use of a service with certain parameters values that, however, are not authorized under the policies in place. In this paper, we provide the formal definitions underlying our model and the relevant algorithms, such as the access control algorithm. We also present an encoding of our model in the Web Services Description Language (WSDL) standard for which we develop an extension, required to support Ws-AC1.

Security for Web Services: Standards and Research Issues

This chapter identifies the main security requirements for Web services and it describes how such security requirements are addressed by standards for Web services security recently developed or under development by various standardizations bodies. Standards are reviewed according to a conceptual framework that groups them by the main functionalities they provide. Standards that are covered include most of the standards encompassed by the WSS roadmap [2]; the Security Assertion Markup Language -SAML-, WS-Policy, XACML, that is related to access control and has been recently extended with a profile for Web services access control; XKMS and WS-Trust; WS-Federation, LibertyAlliance and Shibboleth, that address the important problem of identity management in federated organizations. Finally, issues related to the use of the standards are discussed and open research issues in the area of access control for Web services and innovative digital identity management techniques are outlined.

A Service-Oriented Approach to Security--Concepts and Issues

Various mechanisms for authentication and access control have been developed over time. Operating systems and DBMS implement such mechanisms and support quite rich access control models. A major limitation, however, of such mechanisms is that they are not extensible; thus whenever an application domain requires more sophisticated access controls or authentication, the applications must include logics for such controls. Such an approach leads to increased costs in application development and maintenance. For these reasons, models and mechanisms apt to separate those functions have emerged, also fostered by XML and Web services.-At the same time, the need to drive the behaviour of security through clearly stated and machine-processable policies has fostered the development of various policy models and policy management mechanisms. A policy-based approach enhances flexibility, and reduces the application development costs. Changes to the access control or authentication requirements simply entail modifying the policies, without requiring changes to the applications. It is thus clear that an important approach to the problem of security is represented by the development of policy-based security services providing all functions for security management relevant to applications. Such an approach is particularly promising for applications organized according to the Service Oriented (SOA) paradigm. In this paper we discuss basic concepts of such an approach to security and we present a reference architectural framework. We discuss three relevant classes of security services, namely digital identity management services, authentication services, access control services, and outline research directions for each such class

Security in SOA and Web Services

Security is today a relevant requirement for any distributed application, and in particular for these enabled by the Web such as e-health, e-commerce, and e-learning. It is thus crucial that the use of Web services, stand-alone or composed, provide strong security guarantees. Web services security encompasses several requirements that can be described along the well known security dimensions, that is: integrity, whereby a message must remain unaltered during transmission; confidentiality, whereby the contents of a message cannot be viewed while in transit, except by authorized services; availability, whereby a message is promptly delivered to the intended recipient, thus ensuring that legitimate users receive the services they are entitled to. Moreover, each Web service must protect its own resources against unauthorized access. This in turn requires suitable means for: identification, whereby the recipient of a message must be able to identify the sender; authentication, whereby the recipient of a message needs to verify the claimed identity of the sender; authorization, whereby the recipient of a message needs to apply access control policies to determine whether the sender has the right to use the required resources.

The TrustCoM approach to enforcing agreements between interoperating enterprises

Abstract. To respond to market opportunities enterprises must interoperate with each other within dynamic virtual organizations (VO) when they do not control the required resources themselves. The TrustCoM project is developing a framework for trust, security and contract management for dynamic VO. The core contribution of the TrustCoM framework is its ability to define a contractual agreement between VO members at a business level and have it specified, monitored and updated at a technical, operational level within a service oriented architecture. The main innovation in TrustCoM is to apply recent research results on policy based security in distributed computing management, role based access control and reputation management to bridge the gap between VO Agreements and managed Web Services. 1. INTRODUCTION In the 1980’s the main interoperability challenge for enterprises was to support syntactic interchange of information within organisations. In the 1990’s the challenge advanced from syntax and structure to address semantics (e.g., Sheth, 1999). One solution to this is to use service oriented architectures implemented as web services or the grid where service interfaces can be clearly defined. The challenge for the early

Standards for Web Services Security

Over time, different languages, mechanisms, and tools have been developed on different software and hardware platforms for specifying and implementing a variety of security mechanisms, such as encryption and access control. In a Web service setting, security mechanisms protect the confidentiality and integrity of the so-called information in transit, that is, the data and messages exchanged between a client and aWeb service, and of the so-called information at rest, that is, the information stored in a Web host. Furthermore, protection of the information must not only consider simple two-way client-server interactions, but also extend to more complex interactions, as in the case of business processes implemented through multiple Web services.

A Service-oriented Approach to Security - Concepts and Issues

Various mechanisms for authentication and access control have been developed over time. Operating systems and DBMS implement such mechanisms and support quite rich access control models. A major limitation, however, of such mechanisms is that they are not extensible; thus whenever an application domain requires more sophisticated access controls or authentication, the applications must include logics for such controls. Such an approach leads to increased costs in application development and maintenance. For these reasons, models and mechanisms apt to separate those functions have emerged, also fostered by XML and Web services. At the same time, the need to drive the behaviour of security through clearly stated and machine-processable policies has fostered the development of various policy models and policy management mechanisms. A policy-based approach enhances flexibility, and reduces the application development costs. Changes to the access control or authentication requirements simply entail modifying the policies, without requiring changes to the applications. It is thus clear that an important approach to the problem of security is represented by the development of policy-based security services providing all functions for security management relevant to applications. Such an approach is particularly promising for applications organized according to the service oriented (SOA) paradigm. In this paper we discuss basic concepts of such an approach to security and we present a reference architectural framework. We discuss three relevant classes of security services, namely digital identity management services, authentication services, access control services, and outline research directions for each such class