A Policy-Based Authorization System for Web Services: Integrating X-GTRBAC and WS-Policy

Authorization and access control in Web services is complicated by the unique requirements of the dynamic Web services paradigm. Amongst them is the requirement for a context-aware access control specification and a processing model to apply fine-grained access control on various components of a Web service. In this paper, we address these two requirements and present a policy-based authorization system that leverages an emerging Web service policy processing model, WS-Policy, and integrates it with X-GTRBAC, an XML-based access control model to allow specification and processing of fine-grained, context-aware authorization policies in dynamic Web services environments. The architecture is designed to support the WS-Policy Attachment specification, which allows attaching, retrieving and combining policies associated with various components of a Web service in the WSDL document. Consequently, we present an algorithm to compute the effective access control policy of a Web service based on its description. The effective policy, represented as a normalized WS-Policy document, is then used by the X-GTRBAC system to evaluate an incoming access request. We have prototyped our architecture, and implemented it as a loosely coupled Web service, with logically distinct, heterogeneous modules acting as Policy Enforcement Point (PEP) and Policy Decision Point (PDP). Our prototype demonstrates the true promise of the decentralized Web services architecture, and incorporates SAML-based single sign-on communication between multiple system modules. Figure 1: A Web-service based application: services are described using WSDL documents.