An access control framework for web services
Information Management & Computer Security
ISSN: 0968-5227
Article publication date: 1 February 2005
Abstract
Purpose
To define a framework for access control for virtual applications, enabled through web services technologies. The framework supports the loosely coupled manner in which web services are shared between partners.
Design/methodology/approach
A background discussion on relevant literature, with an example is used to illustrate the problem that exists. To enable access control composition, an extension is proposed to authorisation specification language, together with publication of access control requirements of a web service provider.
Findings
The framework shows that loosely coupled access control can be made possible by making use of the standard manner in which messages are communicated in XML, and by composing assertions with the access control policy of the provider in a consistent manner. Access to web service methods is only granted if permission can be derived for it, where the derivation step forms a formal proof.
Research limitations/implications
A basic framework has been defined. An architecture to support it must be defined. Only a very basic level of access control composition has been illustrated.
Practical implications
The publication of access control requirements in standards such as WS‐Policy can be considered.
Originality/value
This paper offers a practical approach to address access control for web services.
Keywords
Citation
Coetzee, M. and Eloff, J.H.P. (2005), "An access control framework for web services", Information Management & Computer Security, Vol. 13 No. 1, pp. 29-38. https://doi.org/10.1108/09685220510582656
Publisher
:Emerald Group Publishing Limited
Copyright © 2005, Emerald Group Publishing Limited