Yin Hao,Zhou Jiliu,Wu Huilin,Yu Liang

DOI: https://doi.org/10.1109/ISDPE.2007.73

2007-01-01

Abstract:Web-based portals have been increasingly used to integrate information from a variety of back-end Web services. In these systems, security is a critical feature. This paper presents a SAML/XACML based access control between portal and Web services to extend the authentication and authorization mechanism within a portal to external Web services. © 2007 IEEE.

Changqin Huang,Guanghua Song,Yao Zheng,Deren Chen

DOI: https://doi.org/10.1007/978-3-540-30102-8_39

2004-01-01

Abstract:Large-scale scientific and engineering computation is normally accomplished through the interaction of collaborating groups and diverse heterogeneous resources. Grid computing is emerging as an applicable paradigm, whilst, there is a critical challenge of authorization in the grid infrastructure. This paper proposes a Parallelized Subtask-level Authorization Service architecture (PSAS) based on the least privilege principle, and presents a context-aware authorization approach and a flexible task management mechanism. The minimization of the privileges is conducted by decomposing the parallelizable task and re-allotting the privileges required for each subtask. The dynamic authorization is carried out by constructing a multi-value community policy and adaptively transiting the mapping. Besides applying a relevant management policy, a delegation mechanism collaboratively performs the authorization delegation for task management. In the enforcement mechanisms involved, the authors have extended the RSL specification and the proxy certificate, and have modified the Globus gatekeeper, jobmanager and the GASS library to allow authorization callouts. Therefore the authorization requirement of an application is effectively met in the presented architecture.

Qinghuai Zeng,Changqin Huang,Deren Chen,Hualiang Hu

DOI: https://doi.org/10.1109/CACWD.2004.1349224

2004-01-01

Abstract:In grid environments, the dynamic and multi-institutional nature introduces challenging security issues. In this paper, we propose subtask-based authorization service (SAS) architecture to fully secure a type of application oriented to engineering and scientific computing. We minimize privileges for task by decomposing the parallel task and re-allotting the privileges required for each subtask. Community authorization module describes and applies community policies of resource permission and privilege for resource usage or task management. It separates proxy credentials from identity credentials. We adopt a relevant policy and task management delegation to describe rules for task management. The ultimate privileges are formed by the combination of relevant proxy credential, subtask-level privilege certificate and community policy for this user, as well as they conform to resource policy. To enforce the architecture, we extend the RSL specification and the proxy certificate, modify Globus' gatekeeper, jobmanager and the GASS library to allow authorization callouts, and evaluate the user's job management requests and job's resource request in the context of policies.

Di Wu,Yabo Dong,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11563952_52

2005-01-01

Abstract:The fast development of E-Commerce and information technology brings much higher requirements for enterprise informationization. Because of the differences in platforms, development languages and standards etc, enterprise application integration (EAI) has become the important form of enterprise informationization to support complex business processes. Web services have emerged as the next generation of integration technology which provides the power to support interoperability. However EAI doesn’t just present new interoperability challenges; it also presents serious privacy and security challenges. This paper presents security architecture of Web Services based EAI which uses distributed Single Sign On authentication and distributed Role-based Access Control authorization. The basic concept and prototype system of the security architecture are described in detail.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

Hao Yin,Donald F. McMullen,Mehmet A. Nacar,Marlon Pierce,Kianosh Huffman,Geofftey Fox,Yu Ma

DOI: https://doi.org/10.1109/icgrid.2006.311037

2006-01-01

Abstract:The Common Instrument Middleware Architecture (CIMA) project, supported by the NSF Middleware Initiative, aims at making scientific instruments and sensors remotely accessible by providing a general solution for services and user interfaces to remotely access data from instruments and to remotely monitor experiments. X-ray crystallography is one of several motivating applications for the development of CIMA. Data such as CCD frames and sensor readings may be accessed by portals through middleware services as they are being acquired or through persistent archives. CIMA software may be used to federate online instruments in multiple labs, so this project must also address problems in data management and data sharing. This paper describes a collaboration between the CIMA and the Open Grid Computing Environments (OGCE) project to enable remote users to monitor instruments and interact with data gathered from CIMA-enabled crystallography laboratories through various Web portal components (portlets) running within a standards-compliant portal container. We also discuss an approach taken to develop portlets that use Web Services for data management and solutions for managing distributed identity and access control.

Wei Jie,Zhenghong Huang,Michael Daw,Rob Procter,Xiaorong Li,Lianggui Tang,Sheng Lu

DOI: https://doi.org/10.1109/CEC-EEE.2007.84

2007-01-01

Abstract:Grid Information Service (GIS) is a core functional component of a Grid that provides information about various resources and their status. Security underpins a GIS making secure access to a GIS an important issue. On the basis of our existing work on a GIS architecture, we further propose a security framework which leverages Shibboleth as the authentication infrastructure and combines PERMIS authorization technology. As a result, this security framework integrates the advantages of both Shibboleth cross-domain identity federation and PERMIS policy driven role based access control, thus presenting a new security model for secure access to a GIS.

Yang Luo,Qingni Shen,Zhonghai Wu

DOI: https://doi.org/10.48550/arXiv.1903.09756

2019-03-23

Abstract:Access control is an important component for web services such as a cloud. Current clouds tend to design the access control mechanism together with the policy language on their own. It leads to two issues: (i) a cloud user has to learn different policy languages to use multiple clouds, and (ii) a cloud service provider has to customize an authorization mechanism based on its business requirement, which brings high development cost. In this work, a new access control policy language called PERM modeling language (PML) is proposed to express various access control models such as access control list (ACL), role-based access control (RBAC) and attribute-based access control (ABAC), etc. PML's enforcement mechanism is designed in an interpreter-on-interpreter manner, which not only secures the authorization code with sandboxing, but also extends PML to all programming languages that support Lua. PML is already adopted by real-world projects such as Intel's RMD, VMware's Dispatch, Orange's Gobis and so on, which proves PML's usability. The performance evaluation on OpenStack, CloudStack and Amazon Web Services (AWS) shows PML's enforcement overhead per request is under 5.9us.

Cryptography and Security

ZHU Lei,ZHOU Ming-Hui,LIU Tian-Cheng,MEI Hong

DOI: https://doi.org/10.3321/j.issn:0254-4164.2005.04.027

2005-01-01

Chinese Journal of Computers

Abstract:Service Oriented Architecture (SOA) is a method to design and construct loose coupling software systems. It turns the distributed applications developed on middleware into software services on Internet. Traditional permission management system on middleware has good flexibility and basically, meets the security requirements of closed system, but under SOA, it cannot meet the authorization requirements of requesting services and sharing resources between different nodes and systems. This paper proposes a service oriented permission management model, supporting delegation and reasoning to provide application developers with improved permission management mechanism and to expand capabilities of middleware to share resources and services across organizations. The above model is implemented and validated in a J2EE application server. The experiments show that the model has high flexibility and scalability, and it is reasonable that when over 50 clients request at the same time, response time increases a lot because of signature verifications and file IO operations.

Aiqiang Gao,Dongqing Yang,Shiwei Tang,Ming Zhang

DOI: https://doi.org/10.1109/icpca.2008.4783602

2008-01-01

Abstract:The emerging paradigm of pervasive computing and web services needs a flexible service discovery and composition infrastructure. The widespread use of Web services in pervasive environments is hindered by the lack of adequate security and privacy support. In this paper, we discuss an access control protocol for conversation-based (composite) Web services. This approach takes into account the conversational nature of composite web services and differentiates two types of web service: goal-driven and interaction-intensive. The former is goal driven and the client cares about the final goal and participates the conversation at only a few steps. While the interaction-intensive composite web service is interaction heavy, and the service and the client need to interact with each other frequently to exchange access control credentials.

Weiqi Dai,Liangliang Yu,Yang Zhou,Kim-Kwang Raymond Choo,Deqin Zou,Xia Xie,Hai Jin

DOI: https://doi.org/10.1109/tnsm.2024.3420726

2024-08-25

IEEE Transactions on Network and Service Management

Abstract:In our data-centric society, major service providers have access to vast amounts of user information (e.g., user-generated content such as social media posts, and device-generated content such as geolocation data) for convenient and efficient services. There are privacy implications when users authorize share personal data managed by service providers. To make authorization private and controllable, in this paper, we propose a private authorization scheme oriented service providers. A decentralized publicly-verifiable re-encryption method based on IPFS is proposed to minimize the reliance on service providers, by shifting to a distributed storage and computation model. Besides, we propose a trustless authorization authentication method that hides the authorization relationship to protect user privacy. We also evaluate the security of our scheme, as well as its performance to demonstrate utility.

computer science, information systems

CHEN Yong,ZHAO Xi-bin,GU Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.07.071

2006-01-01

Abstract:There are some problems to difine and realize the complex authorization in a large-scale E-commerce applications.This paper analyzes the requirement of authorization service for Web Services based business systems and proposes the multi-level authorization mechanism as a basic mechanism for implementing the authorization service,which is based on the theory of threshold closure.Then the paper designs and realizes a service-oriented authorization server using this mechanism.

Wei Jie,Michael Daw,Rob Procter,Alex Voss

2007-01-01

Abstract:The e-Infrastructure for e-Social Sciences project leverages Grid computing technology to provide an integrated platform which enables social science researchers to securely access a variety of e-Science resources. Security underpins the e-Infrastructure and a security framework with authentication and authorization functionality is a core component of the e-Infrastructure for social sciences. To build the security framework, we adopt Shibboleth as the basic authentication and authorization infrastructure and further combine PERMIS advanced authorization technology. As a result, this security framework integrates the advantages of both Shibboleth cross-domain identity federation and PERMIS policy driven role based authorization control, thus presenting a promising security model for secure access to the e-Infrastructure for the social sciences.

Wei Jie,Alistair Young,Junaid Arshad,June Finch,Rob Procter,Andy Turner

DOI: https://doi.org/10.1109/edocw.2008.6

2008-01-01

Abstract:An e-Social Science infrastructure generally has security requirements to protect their restricted resources or services. As a widely accepted authentication and authorization technology, Shibboleth supports the sharing of resources on inter-institutional federation. Guanxi is an open source implementation of the Shibboleth protocol and architecture. In this paper, we propose a security infrastructure for e-social science based on the Guanxi Shibboleth. This security infrastructure presents two main features. Firstly, Guanxi Shibboleth is integrated into the user-friendly Sakai collaborative and learning environment which provides an ideal place for users to access a variety of federation resources in line with the Shibboleth authentication model. Secondly, PERMIS technology is used to enhance the authorization mechanisms thus enabling a policy-driven, role-based, fine-grained access control. As a result, the security infrastructure presents the advantages of Guanxi Shibboleth, PERMIS and Sakai, and it has been applied to e-Social Science application. We believe this security infrastructure provides a promising authentication and authorization solution for e-social science applications as well as applications in other domains.

Wei Jie,Alistair Young,Junaid Arshad,June Finch,Rob Procter,Andy Turner

2008-01-01

Abstract:An e-Social Science infrastructure generally has security requirements to protect their restricted resources or services. As a widely accepted authentication and authorization technology, Shibboleth supports the sharing of resources on interinstitutional federation. Guanxi is an open source implementation of the Shibboleth protocol and architecture. In this paper, we propose a security infrastructure for e-social science based on the Guanxi Shibboleth. This security infrastructure presents two main features. Firstly, Guanxi Shibboleth is integrated into the user-friendly Sakai collaborative and learning environment which provides an ideal place for users to access a variety of federation resources in line with the Shibboleth authentication model. Secondly, PERMIS technology is used to enhance the authorization mechanisms thus enabling a policy-driven, role-based, fine-grained access control. As a result, the security infrastructure presents the advantages of Guanxi Shibboleth, PERMIS and Sakai, and it has been applied to e-Social Science application. We believe this security infrastructure provides a promising authentication and authorization solution for e-social science applications as well as applications in other

Yi-qun Zhu,Jian-hua Li,Quan-hai Zhang

DOI: https://doi.org/10.5220/0002100404710474

2006-01-01

Abstract:A key challenge in Web services security is the design of effective access control schemes that can adequately satisfy Web services security requirements. Despite the recent advances in Web based access control, there remain issues that impede the development of effective access control models for Web services environments. One of them is the lacks of dynamic role management and attributes access control for Web services. In this paper, we present a dynamic attribute-based role-based access control model (DARBAC) to address the issues. The proposed approach introduces authorization group, which is used to dynamically manages roles and privileges, and attribute based access control mechanism which is used to protect the services and services parameters. We outline the configuration mechanism needed to apply our model to the Web services environments.

Tian-cheng LIU,Ming-hui ZHOU,Lei ZHU,Hong MEI

DOI: https://doi.org/10.3321/j.issn:0469-5097.2005.z1.034

2005-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:Introducing the concepts of trust management into middleware helps resolving the problem of permission delegation and authorization in distributed environments. But it also takes notable performance overhead. After analyzing and improve the search algorithm of delegation chains, this paper proposes a method to trading off between system security and performance, which adapts trust level valve to decrease the request latency. Based on reflective middleware, a permission management framework of trading off is presented. This paper also presents the framework implementation on PKUAS, a J2EE-compliant middleware product and the experimental validation.

Jian Zhou,Yong Yu,Lei Zhang,Chenxi Lin,Yin Yang

DOI: https://doi.org/10.1007/978-3-540-31849-1_58

2005-01-01

Abstract:With the explosive emerged Web services, the Web becomes a world of information and applications. So portals whose goal is presenting a structured view onto the Web should provide users with a single point access to multiple types of not only information but also services. Recently, many systems have been developed using ontology-driven approaches to automatically generate and manage Web portals. However, all of them lack the integration of Web services. In this paper, we describe SPortS, an OWL-DL(Web Ontology Language-Description Logics) based portal generation system that integrates semantic Web services into generated portals at the presentation level, the data level and the function level. We present the portal generation process, the query decomposition and the service recommendation algorithms through which semantic Web services are integrated tightly into the generated portal.

Dimitrios Kallergis,Zacharenia Garofalaki,Georgios Katsikogiannis,Christos Douligeris

DOI: https://doi.org/10.1016/j.adhoc.2020.102153

2020-04-30

Abstract:The microservices architectural approach has important benefits regarding the agile applications' development and the delivery of complex solutions. However, to convey the information and share the data amongst services in a verifiable and stateless way, there is a need to enable appropriate access control methods and authorisations. In this paper, we study the use of policy-driven authorisations with independent fine-grained microservices in the case of a real-world machine-to-machine (M2M) scenario using a hybrid cloud-based infrastructure and Internet of Things (IoT) services. We also model the authentication flows which facilitate the message exchanges between the involved entities, and we propose a containerised authorisation and policy-driven architecture (CAPODAZ) using the microservices paradigm. The proposed architecture implements a policy-based management framework and integrates in an on-going work regarding a Cloud-IoT intelligent transportation service. For the in-depth quantitative evaluation, we treat multiple distributions of users' populations and assess the proposed architecture against other similar microservices. The numerical results based on the experimental data show that there exists significant performance preponderance in terms of latency, throughput and successful requests.

Networking and Internet Architecture,Cryptography and Security,Distributed, Parallel, and Cluster Computing

Feng Xiang,Gan Ling,Ni Kai,Zhang Chao

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.10.022

2007-01-01

Abstract:Authorization access control is an essential and important module in MIS.Traditional authorization control needs to be improved on coupling and reusability.A Web service based authorization access control method is designed.By abstracting the basic functions in the field of authorization access control,and setting the authorization intonation into a five-tuple table in database,the functions of authorizatin access control are separated.The authorization access control method is made to run as Web Service,and thus the model is of low coupling,high reusability,and can be easily used in different applications running on isomerism environment.