Towards a security management system for composite web services

A web service can be operated in a distributed environment with a large number of resources with evolving contents. These resources can be various types of applications that come from different organizations, e.g., component web services. A web service that composes multiple component services (resources) is called composite web service that can provide comprehensive and value-added function to service consumer. In order to acquire the support from these resources, the composite web service must be able to satisfy authorization policies of these resources. Interacting with service consumers is imperative for the execution of a composite web service. But, a service consumer can access the specific functions of a composite service, only after it can satisfy the authorization policies of the composite web service. Execution policies are used to manage the sequence of operation invocations within a composite web service, i.e., business logic. Therefore, without coordination management on these policies, a composite web service may not be able to perform properly, particularly in a process environment. Currently, it is still lack of an effective approach to address the issue of security management in composite web service by considering both service consumers and component services, and taking various types of authorization constraints into account to manage and coordinate the service consumer access and component service support. In this thesis, we propose a service oriented conceptual model (SOAC) as an extension of role based access control that can facilitate the administration and management of access for service consumers as well as component services supports in composite web services. Various types of conflict of interest are identified due to the complicated relationships among service consumers and component services. A process model, SOAC-Net, is also developed based on our designed conceptual model SOAC. The SOAC-Net is a Petri-Net based process model that represents an authorization ow, i.e., the sequence of the accesses by service consumers and the sequence of the supports from components services. A set of authorization policies, e.g., authorization synchronization policy and authorization dependency policy, are designed based on SOAC-Net to coordinate the access and the support in a process environment. Verification on improper authorization policy definition is proposed based on SOAC-Net to detect the unreliable execution of composite web service. A service oriented authorization control engine (SOAC engine) is developed as an implementation of the proposed authorization framework of composite web services. In summary, this research throws new light on the current state of the art in authorization management under the loosely-coupled composite web service environments.