Access control enforcement for conversation-based web services

Massimo Mecella, Mourad Ouzzani, Federica Paci, Elisa Bertino

Research output: Chapter in Book/Report/Conference proceedingConference contribution

43 Citations (Scopus)

Abstract

Service Oriented Computing is emerging as the main approach to build distributed enterprise applications on the Web. The widespread use of Web services is hindered by the lack of adequate security and privacy support. In this paper, we present a novel framework for enforcing access control in conversation-based Web services. Our approach takes into account the conversational nature of Web services. This is in contrast with existing approaches to access control enforcement that assume a Web service as a set of independent operations. Furthermore, our approach achieves a tradeoff between the need to protect Web service's access control policies and the need to disclose to clients the portion of access control policies related to the conversations they are interested in. This is important to avoid situations where the client cannot progress in the conversation due to the lack of required security requirements. We introduce the concept of k-trustworthiness that defines the conversations for which a client can provide credentials maximizing the likelihood that it will eventually hit a final state.

Original languageEnglish
Title of host publicationProceedings of the 15th International Conference on World Wide Web
Pages257-266
Number of pages10
DOIs
Publication statusPublished - 1 Dec 2006
Externally publishedYes
Event15th International Conference on World Wide Web - Edinburgh, Scotland, United Kingdom
Duration: 23 May 200626 May 2006

Other

Other15th International Conference on World Wide Web
CountryUnited Kingdom
CityEdinburgh, Scotland
Period23/5/0626/5/06

Fingerprint

Access control
Web services
World Wide Web
Industry

Keywords

  • Access control
  • Conversations
  • Transition systems
  • Web services

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Software

Cite this

Mecella, M., Ouzzani, M., Paci, F., & Bertino, E. (2006). Access control enforcement for conversation-based web services. In Proceedings of the 15th International Conference on World Wide Web (pp. 257-266) https://doi.org/10.1145/1135777.1135818

Access control enforcement for conversation-based web services. / Mecella, Massimo; Ouzzani, Mourad; Paci, Federica; Bertino, Elisa.

Proceedings of the 15th International Conference on World Wide Web. 2006. p. 257-266.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Mecella, M, Ouzzani, M, Paci, F & Bertino, E 2006, Access control enforcement for conversation-based web services. in Proceedings of the 15th International Conference on World Wide Web. pp. 257-266, 15th International Conference on World Wide Web, Edinburgh, Scotland, United Kingdom, 23/5/06. https://doi.org/10.1145/1135777.1135818
Mecella M, Ouzzani M, Paci F, Bertino E. Access control enforcement for conversation-based web services. In Proceedings of the 15th International Conference on World Wide Web. 2006. p. 257-266 https://doi.org/10.1145/1135777.1135818
Mecella, Massimo ; Ouzzani, Mourad ; Paci, Federica ; Bertino, Elisa. / Access control enforcement for conversation-based web services. Proceedings of the 15th International Conference on World Wide Web. 2006. pp. 257-266
@inproceedings{27d3a726bcc6453b8552f3a69cfdd5a9,
title = "Access control enforcement for conversation-based web services",
abstract = "Service Oriented Computing is emerging as the main approach to build distributed enterprise applications on the Web. The widespread use of Web services is hindered by the lack of adequate security and privacy support. In this paper, we present a novel framework for enforcing access control in conversation-based Web services. Our approach takes into account the conversational nature of Web services. This is in contrast with existing approaches to access control enforcement that assume a Web service as a set of independent operations. Furthermore, our approach achieves a tradeoff between the need to protect Web service's access control policies and the need to disclose to clients the portion of access control policies related to the conversations they are interested in. This is important to avoid situations where the client cannot progress in the conversation due to the lack of required security requirements. We introduce the concept of k-trustworthiness that defines the conversations for which a client can provide credentials maximizing the likelihood that it will eventually hit a final state.",
keywords = "Access control, Conversations, Transition systems, Web services",
author = "Massimo Mecella and Mourad Ouzzani and Federica Paci and Elisa Bertino",
year = "2006",
month = "12",
day = "1",
doi = "10.1145/1135777.1135818",
language = "English",
isbn = "1595933239",
pages = "257--266",
booktitle = "Proceedings of the 15th International Conference on World Wide Web",

}

TY - GEN

T1 - Access control enforcement for conversation-based web services

AU - Mecella, Massimo

AU - Ouzzani, Mourad

AU - Paci, Federica

AU - Bertino, Elisa

PY - 2006/12/1

Y1 - 2006/12/1

N2 - Service Oriented Computing is emerging as the main approach to build distributed enterprise applications on the Web. The widespread use of Web services is hindered by the lack of adequate security and privacy support. In this paper, we present a novel framework for enforcing access control in conversation-based Web services. Our approach takes into account the conversational nature of Web services. This is in contrast with existing approaches to access control enforcement that assume a Web service as a set of independent operations. Furthermore, our approach achieves a tradeoff between the need to protect Web service's access control policies and the need to disclose to clients the portion of access control policies related to the conversations they are interested in. This is important to avoid situations where the client cannot progress in the conversation due to the lack of required security requirements. We introduce the concept of k-trustworthiness that defines the conversations for which a client can provide credentials maximizing the likelihood that it will eventually hit a final state.

AB - Service Oriented Computing is emerging as the main approach to build distributed enterprise applications on the Web. The widespread use of Web services is hindered by the lack of adequate security and privacy support. In this paper, we present a novel framework for enforcing access control in conversation-based Web services. Our approach takes into account the conversational nature of Web services. This is in contrast with existing approaches to access control enforcement that assume a Web service as a set of independent operations. Furthermore, our approach achieves a tradeoff between the need to protect Web service's access control policies and the need to disclose to clients the portion of access control policies related to the conversations they are interested in. This is important to avoid situations where the client cannot progress in the conversation due to the lack of required security requirements. We introduce the concept of k-trustworthiness that defines the conversations for which a client can provide credentials maximizing the likelihood that it will eventually hit a final state.

KW - Access control

KW - Conversations

KW - Transition systems

KW - Web services

UR - http://www.scopus.com/inward/record.url?scp=34250616363&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34250616363&partnerID=8YFLogxK

U2 - 10.1145/1135777.1135818

DO - 10.1145/1135777.1135818

M3 - Conference contribution

SN - 1595933239

SN - 9781595933232

SP - 257

EP - 266

BT - Proceedings of the 15th International Conference on World Wide Web

ER -