Attributed Based Access Control (ABAC) for Web Services
ICWS '05 Proceedings of the IEEE International Conference on Web Services
| Hi-index | 0.00 |
While SOA promises great benefits in productivity and flexibility, the tools for securing these systems continue to lag behind. The ideal of SOA security is to provide trusted containers and frameworks that enforce policies established during deployment, and remove security logic and policy from application code completely. Standards such as WS-Security address some of the issues, but enterprise systems don't stop and start with web services. In an N-tier the user is authenticated at the client platform, and this authentication will ultimately determine access to resources in back-end data stores. The challenge is to create a framework for the end-to-end propagation of user credentials across N-tiers, which doesn't rely on custom security code within applications. This paper will describe a working prototype framework that propagates user credentials through web application, web service and database tiers, and applies label-based access control (LBAC) policies within the database. The paper will also outline known gaps in web and SOA standards, and directions for future work.