面向Web服务资源的两层访问控制方法

Web服务资源具有静态的Web服务接口和动态的有状态资源两个组件.针对这两个组件的不同特征为它提出一种基于属性的两层访问控制方法(Two Level Attribute-Based Access Control,2L-ABAC).2L-ABAC扩展基于属性的访问控制模型(Attribute-Based Access Control,ABAC),对这两个组件分别进行访问控制.ABAC系统的访问决定依赖于用户提供的主体属性,所以2L-ABAC采用策略发布机制告知用户所需的属性,并根据各层特征分别采用WSDL附件和元数据交换两种发布方式.除了分层设计带来的灵活性,2L-ABAC还继承了ABAC模型的特性,能够对来自其他安全域的用户进行访问控制.另外,它基于相关国际规范实现,如XACML和SAML,故具有通用性.

Attribute-based Two Level Access Control for Web Service Resources

Web Services Resource (WS-Resource) consists of static Web service interface and dynamic stateful resource. According to the different characteristics of the two components, we proposed an Attribute-Based Two Level Access Control (2L-ABAC) on for WS-Resources. Attribute retrieval is essential for ABAC systems because they are based on their decisions on attributes of users, so 2L-ABAC employs access control policies publishing mechanism to inform users of the needed attributes. Access control policies of Web Services are static and those of resources arc dynamic,correspondently two publishing methods, WSDL attachment and metadata exchanging, are adopted for each level respectively. 2L-ABAC inherits from the ABAC model the capability of authorizing unknown users from other security domains, besides its flexibility due to the hierarchy design model. Moreover, this architecture can be implemented by extending the standard specifications such as XACML and SAML, so it has broad applicability for WS-Resource based systems.