Abstract
Business Processes for Web Services are the new paradigm for lightweight enterprise integration. They cross organizational boundaries, are provided by entities that see each other just as business partners, and require access control mechanisms based on trust management. Stateful Business Processes, enforcing separation of duties or service limitations based on past or current usage, pose additional research challenges. Clients, which may not know the right set of credentials to supply to each partner, may end up in dead-ends and servers should help them find out what must be revoked and what missing is that grant access to a particular resource.
We propose a logical framework and an interactive algorithm based on negotiation of credentials for access control that works for Stateful Business Processes. We show that our algorithm is sound (no grant is given to unauthorized clients), complete (authorized clients get grant) and resistant against DoS attempt.
This work is partially funded by the IST programme of the EU Commission FET under the IST-2001-37004 WASP project and by the FIRB programme of MIUR under the RBNE0195K5 ASTRO Project and RBAU01P5SS Project.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Yu, T., Winslett, M., Seamons, K.E.: Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Transactions on Information and System Security (TISSEC) 6, 1–42 (2003)
Bonatti, P., Samarati, P.: A unified framework for regulating access and information release on the web. Journal of Computer Security 10, 241–272 (2002)
Koshutanski, H., Massacci, F.: Interactive access control for Web Services. In: Proceedings of the 19th IFIP Information Security Conference (SEC 2004), Toulouse, France, pp. 151–166. Kluwer Press, Dordrecht (2004)
Bertino, E., Ferrari, E., Atluri, V.: The specification and enforcement of authorization constraints in workflow management systems. ACM Transactions on Information and System Security (TISSEC) 2, 65–104 (1999)
Apt, K.: Logic programming. In: van Leeuwen, J. (ed.) Handbook of Theoretical Computer Science. Elsevier, Amsterdam (1990)
De Capitani di Vimercati, S., Samarati, P.: Access control: Policies, models, and mechanism. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, p. 137. Springer, Heidelberg (2001)
Koshutanski, H., Massacci, F.: Interactive access control for stateful web services business processes. Technical Report DIT-05-002, Department of Information and Communication Technology, University of Trento (2005)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM TISSEC 4, 224–274 (2001)
Park, J., Sandhu, R.: Towards usage control models: beyond traditional access control. In: Seventh ACM SACMAT, pp. 57–64. ACM Press, New York (2002)
Giuri, L.: Role-based access control on the web. ACM Transactions on Information and System Security (TISSEC) 4, 37–71 (2001)
Park, J.S., Sandhu, R.: RBAC on the Web by smart certificates. In: Proceedings of the fourth ACM workshop on Role-based access control, pp. 1–9. ACM Press, New York (1999)
Joshi, J.B.D., Aref, W.G., Ghafoor, A., Spafford, E.H.: Security models for web-based applications. Communications of the ACM 44, 38–44 (2001)
Roscheisen, M., Winograd, T.: A communication agreement framework for access/action control. In: Proceedings of the Symposium on Security and Privacy, pp. 154–163. IEEE Press, Los Alamitos (1996)
Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. ACM Transactions on Information and System Security (TISSEC) 6, 128–171 (2003)
Jajodia, S., Samarati, P., Subrahmanian, V.S., Bertino, E.: A unified framework for enforcing multiple access control policies. In: Proceedings of the 1997 ACM SIGMOD conference on Management of data, pp. 474–485. ACM Press, New York (1997)
Wijesekera, D., Jajodia, S.: Policy algebras for access control the predicate case. In: Proceedings of the 9th ACM conference on Computer and Communications Security, pp. 171–180. ACM Press, New York (2002)
Koshutanski, H., Massacci, F.: An access control framework for business processes for Web services. In: Proceedings of the 2003 ACM workshop on XML security, Fairfax, VA, pp. 15–24. ACM Press, New York (2003)
Koshutanski, H., Massacci, F.: An interactive trust management and negotiation scheme. In: Proceedings of the 2nd International Workshop on Formal Aspects in Security and Trust (FAST), Toulouse, France, pp. 139–152. Kluwer Press, Dordrecht (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Koshutanski, H., Massacci, F. (2005). Interactive Credential Negotiation for Stateful Business Processes. In: Herrmann, P., Issarny, V., Shiu, S. (eds) Trust Management. iTrust 2005. Lecture Notes in Computer Science, vol 3477. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11429760_18
Download citation
DOI: https://doi.org/10.1007/11429760_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26042-4
Online ISBN: 978-3-540-32040-1
eBook Packages: Computer ScienceComputer Science (R0)