An Authorization Architecture for Web Services

  • Sarath Indrakanti
  • Vijay Varadharajan
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3654)


This paper considers the authorization service requirements for the service oriented architecture and proposes an authorization architecture for Web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorization of Web services as well as the support for the management of authorization information. The proposed architecture has several benefits. It is able to support legacy applications exposed as Web services as well as new Web service based applications built to leverage the benefits offered by the service oriented architecture; it can support multiple access control models and mechanisms and is decentralized and distributed and provides flexible management and administration of Web services and related authorization information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to exposed Web services. The architecture is currently being implemented within the .NET framework.


  1. 1.
    Wilkes, S., Harby, J.: SOA Blueprints Concepts Draft v0.5. Technical report, The Middleware Research Company (June 2004)Google Scholar
  2. 2.
    Atkinson, B., Della-Libera, G., Hada, S., Hondo, M., et al.: Web Services Security (WS-Security) Specification (2002),
  3. 3.
    Varadharajan, V.: Distributed Authorization: Principles and Practice. In: Coding Theory and Cryptology, Lecture Notes Series. Institute for Mathematical Sciences, National University of Singapore. Singapore University Press (2002)Google Scholar
  4. 4.
    Beznosov, K., Deng, Y., Blakley, B., Barkley, J.: A Resource Access Decision Service for CORBA-based Distributed Systems. In: Proceedings of the 15th Annual Computer Security Applications Conference, p. 310. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  5. 5.
    Kraft, R.: Designing a Distributed Access Control Processor for Network Services on the Web. In: ACM Workshop on XML Security, Fairfax, VA, USA (2002)Google Scholar
  6. 6.
    Yague, M.I., Troya, J.M.: A Semantic Approach for Access Control in Web Services. In: Euroweb 2002 Conference. The Web and the GRID: from e-science to e-business, Oxford, UK, pp. 483–494 (2002)Google Scholar
  7. 7.
    Agarwal, S., Sprick, B., Wortmann, S.: Credential Based Access Control for Semantic Web Services. In: American Association for Artificial Intelligence (2004)Google Scholar
  8. 8.
    Ziebermayr, T., Probst, S.: Web Service Authorization Framework. In: International Conference on Web Services (ICWS), San Diego, CA, USA (2004)Google Scholar
  9. 9.
    Godik, S., Moses, T.: eXtensible Access Control Markup Language v1.1 (XACML), (August 07, 2003)Google Scholar
  10. 10.
    Andrews, T., Curbera, F., Dholakia, H., Goland, Y., et al.: Business Process Execution Language for Web Services v1.1, BPEL4WS (2003),
  11. 11.
    Kraft, R.: A Model for Network Services on the Web. In: The 3rd International Conference on Internet Computing (IC 2002), vol. 3, pp. 536–541 (2002)Google Scholar
  12. 12.
    Indrakanti, S.: On the Design of an Authorization Architecture for Web Services. Technical report, Macquarie University, Sydney, Australia (January 2005)Google Scholar
  13. 13.
    Della-Libera, G., Hallam-Baker, P., Hondo, M., Janczuk, T., et al.: Web Services Security Policy Language (WS-SecurityPolicy) (2002),
  14. 14.
    Bajaj, S., Box, D., Chappell, D., Curbera, F., et al.: Web Services Policy Attachment (WS-PolicyAttachment) (September 2004),
  15. 15.
    Microsoft Corporation.NET Framework (2005),

Copyright information

© IFIP International Federation for Information Processing 2005

Authors and Affiliations

  • Sarath Indrakanti
    • 1
  • Vijay Varadharajan
    • 1
  1. 1.Information and Networked Systems Security Research, Department of ComputingMacquarie UniversitySydneyAustralia

Personalised recommendations