Â¥Ö÷

Using Semantic Rules to Determine Access Control for Web Services Using Semantic Rules to Determine Access Control for Web Services[/align]Brian Shields, Owen Molloy, Gerard Lyons, Jim Duggan [align=center]Department of Information Technology National University of Ireland Galway, Ireland brian.shields@geminga.it.nuigalway.ie fowen.molloy, gerard.lyons, jim.duggang@nuigalway.ie ABSTRACT Semantic Web technologies are bring increasingly employed to solve knowledge management issues in traditional Web technologies. This paper follows that trend and proposes using Semantic rule languages to construct rules for de¯ning access control rules for Web Services. Using these rules, a system will be able to manage access to Web Services and also the information accessed via these services. Categories and Subject Descriptors: K.6.5 [Manage- ment of Computing and Information Systems]: Security and Protection General Terms: Security Keywords: Web Service Security, Authorisation, OWL, SWRL 1. INTRODUCTION Access to information using internet technologies is be- coming increasingly popular. Incorporating data security in application design, previously an afterthought, is now a priority. Security in information transport was one of the ¯rst resolved, using standards such as SSL. This problem domain is less complex than the one we present a solution to in this paper. Securing information \over the wire" is a blanket solution, what the information is, or what it means is irrelevant. Securing access to this information is more dif- ¯cult. Access control depends directly on what information is trying to be accessed, and we believe that understanding what this information is or means will aid its protection. This abstract presents a novel approach to authorisation in a Web Services framework. We embrace existing stan- dards in our solution, using standards from a number of ¯elds such as Web Services, security and Semantic Web. 1.1 Underpinning Technologies The Semantic Web is a family of speci¯cations and pro- posed technologies that are maturing in parallel to Web Ser- vices. First coined by Tim Berners-Lee at the XML 2000 conference [5], the Semantic Web, as with Web Services, has consistently increased in popularity. Interest and research in the Semantic Web however remains primarily driven by Copyright is held by the author/owner. WWW 2006, May 23¨C26, 2006, Edinburgh, Scotland. ACM 1595933329/ 06/0005. the academic community. The Web Ontology Language (OWL) [9] is a World Wide Web Consortium (W3C) standard for de¯ning semantically rich languages. OWL Description Logic (OWL-DL) is a sub- set of OWL which guarantees completeness and decidability. The Semantic Web Rule Language (SWRL) [7] is a combi- nation of the decidable subset of OWL and the Rule Markup Language. 2. IMPLEMENTATION It is necessary, for completion and testing of the above mentioned hypothesis, to develop a full security architec- ture. From research conducted into Web Service security frameworks [10] [6] [8] the principal components of a Web Service security architecture have been identi¯ed as encryp- tion and decryption, signing and signature veri¯cation, key management and access control. 2.1 Web Service Security The security framework designed and implemented as part of this research is built in Java using Apache Axis as the SOAP implementation. The core encryption and decryption engine is developed using Apache's Web Service Security for Java (WSS4J) implementation of the WS-Security speci¯- cation from OASIS. It adheres to the W3C speci¯cation for XML-Encryption. The signing and signature veri¯cation en- gine is also developed using WSS4J and adheres to the W3C speci¯cation for XML-Signature. The key management is built according to the XML Key Management Speci¯cation (XKMS). 2.2 Semantically Defined Knowledge Base The knowledge base which will be used in the authori- sation process will be de¯ned in OWL. This will be a de- scription of the information being protected. The decidable subset of OWL, OWL-DL, will be used to represent the in- formation in the system. All information does not have to be de¯ned. This information base must contain at least a description of Web Service endpoints along with the the de- scription of all the information at the level at which the user wants authorisation decisions to be made. This will be discussed more in Section 2.5. 2.3 Semantically Defined Rules The rules used to de¯ne the access rights of individuals to the information represented in the knowledge base are writ- 913 ten in a semantically aware language. SWRL was chosen as the rule language in our system. The main advantage of using SWRL is its ability to provide support for com- plex relationships between properties, therefore extending the expressiveness of what we can de¯ne in OWL-DL. The subjects of the rules will be de¯ned in the knowledge base, as described in Section 2.2. Rules may be written to protect access to two speci¯c resources; the web service endpoints and the information they return. Return values from a Web Service call will usually di®er, depending on the parameter list of each call. 2.4 Evaluating Rules Since both the knowledge base and the authorisation rules are essentially written in OWL-DL, we can use an OWL-DL reasoning engine to evaluate the rules. The main advan- tage of SWRL, which was discussed in Section 2.3, can also present a new problem domain since it extends the expres- siveness of OWL-DL beyond the decidable subset of OWL. There are two ways in which this can be overcome. Either restrict the expressiveness of SWRL and use an existing rea- soning engine such as Pellet or Racer, or use a reasoner such as Hoolet which has been extended to handle SWRL rules. We have chosen to use the extended reasoner Hoolet. To ensure a decidable result from our authorisation we will re- strict how the user may write these rules rather than re- stricting the language itself. 2.5 Document Filtering Authorisation decisions will ¯rstly be made with respect to a Web Service endpoint. This can result in one of three results: ² Requester is granted full access ² Requester is refused any access ² Requester is granted limited access A requester being granted limited access implies that they can access the endpoint but they will potentially be returned sensitive information that they do not have access to. When this happens, the response associated with the initial request is examined and the information being returned must be legally accessible by the requester. Any information which is de¯ned as illegal for the requester will be pruned before the response is sent. The level of pruning is de¯ned by the user who is re- sponsible for the update of the rules and knowledge stores. Information may only be pruned if it is de¯ned in the knowl- edge base. For example, assume the information structure in Figure 1 exists in the system. If the user wants to spec- ify that certain clients may not access Test Results then it must be de¯ned in the knowledge base. Anyone with read access to Clinical Information will have read access to all of its unde¯ned children. 3. CONCLUSIONS There is some similar research being carried out. We have identi¯ed four projects that share some similarities to ours. Rei is a distributed policy language that enables every Web entity to specify policies for its access [1]. Parsia et al, in [4], propose a semantically-aware policy language by translating WS-Policy into OWL-DL. Figure 1: Sample Information Structure Qin et al propose \an access control model for the Se- mantic Web that is capable of specifying authorisations over concepts de¯ned in ontologies and enforcing them upon data instances annotated by the concepts" [2]. Damiani et al [3] outline how \current standard policy languages such as XACML can be extended" to be able to semantically de¯ne access control policies for the Semantic Web. The model proposed in this abstract di®ers from each of these o®erings. The ¯rst two items deal with policies for Web Services, often confused with authorisation rules. A policy is the information which the owner of the service wishes to share with potential business partners. The ¯nal two areas of research are more similar to this paper, although the research by Qin et al does not lend itself speci¯cally to access control for Web Services and the work of Damiani et al enriches XACML with RDF, RDF will not provide the same semantic richness as OWL. 4. ACKNOWLEDGMENTS This work is funded by Enterprise Ireland as part of the Advanced Technology Research Program. 5. REFERENCES [1] L. Kagal, T. Finin and A. Joshi. A Policy Based Approach to Security for the Semantic Web. 2nd International Semantic Web Conference, Sanibel Islands, Florida, USA, 2003. [2] L. Qin and V. Atluri. Concept-Level Access Control for the Semantic Web. ACM Workshop on XML Security, Fairfax, VA, USA, 2003. [3] E. Damiani, S. De Capatani di Vimercati, C. Fugazza and P. Samarati. Extending Policy Languages to the Semantic Web. 4th International Conference on Web Engineering, Munich, Germany, 2004. [4] B. Parsia, V. Kolozski and J. Hendler. Expressing WS Policies in OWL. 14th International World Wide Web Conference, Chiba, Japan, 2005. [5] T. Berners-Lee. Keynote address at XML 2000. http://www.w3.org/2000/Talks/1206-xml2k-tbl/slide10- 0.html, 2000. [6] B. Hartman, D. J. Flinn, K. Beznosov, and S. Kawamoto. Mastering Web Service Security. Wiley, 2003. [7] I. Horrocks and et al. SWRL: A Semantic Web Rule Language combining OWL and RuleML, May 2004. URL: http://www.daml.org/2003/11/swrl/". [8] P. Kumar. J2EE Security For Servlets, EJBs and Web Services. Prentice Hall, 2004. [9] D. L. McGuinness and F. van Harmelen. OWL Web Ontology Language, February 2004. URL: http://www.w3.org/TR/owl-features/. [10] M. O'Neill. Web Services Security. McGraw-Hill/Osborne, 2003. 914    Êղؠ  ·ÖÏí   ¶¥(0)

	µÚ2Â¥

Â¥Ö÷£¬ÄúºÃ£¬ Ê×ÏȸÐлÄã·¢µÄһЩÎÄÕ£¬¶ÔÎҵİïÖú²»ÉÙ£»ÎÒ×î½üÔÚÑ¡Ôñ¿ÎÌâ·½Ïò£¬ÏëÁ˽âÓïÒåweb·þÎñ°²È«Ïà¹ØµÄ·½ÃæÄܲ»ÄܽøÕ¹ÏÂÈ¥£¬Ï£ÍûÄãÄܸøÎÒһЩ½¨Ò飬ͬʱÓбȽϺõÄÏà¹Ø²ÄÁÏÔÚ¸øÎÒһЩ^_^£¬Ê®·ÖµÄ¸ÐлŶ

	µÚ3Â¥

^_^£¬ÎÒµÄÓÊÏäÊÇfan108@163.com£¬Thank you very much!^_^