SECURING COMPOSITE WEB SERVICES Prathima Rao Objective The main objective of this work is to provide a flexible language framework for expressing security policies for composite web services Composite Web Service A combination of available web services that expresses a business process For example A FreightMixer is a composite web service that interacts with various shipping providers also web services to provide end to end freight service for its customers Business Process Execution Language BPEL 1 language used to build a composite WS The process of constructing a composite WS is often referred to as orchestration Security of WS Task level security Concerns issues like message authentication authorization integrity etc WS Security WS Policy are standards for specifying these task level requirements Process level security Concerns with business rules specific to a particular application domain For example in the case of FreightMixer service it may be necessary to ensure that an item being shipped to country X is not banned in that country Related Work AO4BPEL 2 XACML 3 Access control policy language with request response language Ponder 4 Aspect oriented extensions to BPEL Declarative object oriented policy language for large distributed systems Rei 5 KaOS 6 Ontology based semantic policy frameworks Related Work Polymer 7 Java based domain specific language for specifying and enforcing security policies Provides a Policy class which contains An effect free query method that determines how to react to a security sensitive active by providing suggestions A security state Methods to update security state Can be regarded as an implementation of an edit automata Case Study Vacation Planner Composite web service that acts as a travel agent Case Study Vacation Planner Each of the web services has a set of methods and policies A BPEL fragment for VP is shown below Case Study Vacation Planner Security requirements Airline web service Hotel web service Authenticated and encrypted messages Authentication and integrity of all transactions All customers need to have a valid passport no Vacation Planner composite web service Authentication and integrity of all transactions Ensure that no customer needs to reveal his passport no Ensure that there are no timing conflicts in the booking of the various services Proposed Solution Extensions to BPEL The idea is incorporate the Policy class proposed in the Polymer work into BPEL The activities participating in the BPEL compositions are security sensitive actions The query method monitors each activity and offers suggestions like insert new code replace activity etc For example code can be inserted to check for conflicts Suggestions allow semantically meaningful compositions of security policies For example two policies cannot replace the same activity Extensions to BPEL The set of suggestions can be extended to enable more domain specific conflict detections With the Policy extension both task level and process level security requirements for VP can be specified A Conflict class which be further extended for a particular domain can also be incorporated Extensions to BPEL An example of the BPEL code with extended Policy class is given below Extensions to BPEL Future Work Static Typing Criteria based composition of web services A flexible type system to ensure that run time no security policy violations can occur and that no conflicts in policies will arise Compose web services based on some user specified criteria For example compose services so as minimize the amount personal information that needs to be divulged Fault tolerance What must happen when some service suddenly aborts Dynamic reconfiguration and conflict checking of security policies Contributions Proposes enhancements to BPEL that Enables centralized and modular enforcement of security policies for composite web services Provides a language framework that enables semantically meaningful composition of security policies and also specification of conflict detection code Outlines new research directions in the domain of composite web services References 1 2 3 4 5 6 7 F Curbera et al Web services business process execution language version 2 0 In OASIS Dec 2004 A Char et al Aspect oriented web service composition with ao4bpel In European Conference On Web Services ECOWS 2004 Xacml 2 0 oasis standard 2004 N Damianou et al Ponder a language for specifying security and management policies for distributed systems Technical report Imperial College Oct 2000 L Kagal et al Ponder A policy language for pervasive computing environment In Policy Workshop on Policies for Distributed Systems and Networks 2004 A Uszok et al Kaos policy and domain services Toward a description logic approach to policy representation deconiction and enforcement In Policy Workshop on Policies for Distributed Systems and Networks 2003 L Bauer et al Composing security policies with polymer In Programming Languages Design And Implementation PLDI 2005
View Full Document
Unlocking...