Towards the Aggregation of Security Requirements in Cross-Organisational Service Compositions

  • Michael Menzel
  • Christian Wolter
  • Christoph Meinel
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 7)


The seamless composition of independent services is one of the success factors of Service-oriented Architectures (SOA). Services are orchestrated to service compositions across organisational boundaries to enable a faster reaction to changing business needs. Each orchestrated service might demand the provision of specific user information and requires particular security mechanisms. To enable a dynamic selection of services provided by foreign organisations, a central management of static security policies is not appropriate. Instead, each service should express its own security requirements as policies that stipulate explicitly the requirements of the composition. In this paper we address the problem of aggregating security requirements from orchestrated services. Such an aggregation is not just the combination of all security requirements, since dependencies and conflicts between these requirements might exist. We provide a classification of these dependencies and introduce a conceptional security model enabling a classification of security requirements to reveal conflicts. Finally, we propose an approach to determine an aggregation of security requirements in cross organisational service compositions.


SOA Service Composition Security Security Policy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Carminati, B., Ferrari, E., Hung, P.C.K.: Web Service Composition: A Security Perspective. In: WIRI 2005, pp. 248–253 (2005)Google Scholar
  2. 2.
    Carminati, B., Ferrari, E., Hung, P.C.K.: Security Conscious Web Service Composition. In: ICWS 2006, pp. 489–496 (2006)Google Scholar
  3. 3.
    Chappel, D.: Understanding Windows CardSpace (April 2006)Google Scholar
  4. 4.
    Denker, G., Kagal, L., Finin, T.W., Paolucci, M., Sycara, K.P.: Security for DAML Web Services: Annotation and Matchmaking. In: ICWS 2003, pp. 335–350 (2003)Google Scholar
  5. 5.
    Della-Libera, G., Gudgin, M., et al.: Web Services Security Policy Language (WS-SecurityPolicy). Public Draft Specification (Juli 2005)Google Scholar
  6. 6.
    Haller, J., Wolter, C.: Trust Indicator Integration into SLAs for Virtual Organisations. In: eChallenges 2007 Conference (2007)Google Scholar
  7. 7.
    Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)Google Scholar
  8. 8.
    Jaeger, T., Sailer, R., Zhang, X.: Resolving constraint conflicts. In: SACMAT 2004, pp. 105–114. ACM, New York (2004)CrossRefGoogle Scholar
  9. 9.
    Meyer, H.: On the Semantics of Service Compositions. In: Proceedings of The First International Conference on Web Reasoning and Rule Systems (RR 2007) (2007)Google Scholar
  10. 10.
    MacKenzie, M., Laskey, K., McCabe, F., Brown, P., Metz, R.: Reference Model for Service Oriented Architecture 1.0. In: OASIS Committee Specification (February, 2006) Google Scholar
  11. 11.
    Charles, P.: Pfleeger and Shari Lawrence Pfleeger. Security in Computing. Prentice Hall Professional Technical Reference (2002) Google Scholar
  12. 12.
    Ragouzis, N., Hughes, J., Philpott, R., Maler, E.: MalerSecurity Assertion Markup Language (SAML) V2.0 Technical Overview(2006) Google Scholar
  13. 13.
    Wohlstadter, E., Tai, S., Mikalsen, T., Rouvellou, I., Devanbu, P.: GlueQoS: Middleware to Sweeten Quality-of-Service Policy Interactions. In: ICSE 2004, pp. 189–199 (2004)Google Scholar
  14. 14.
    Huang, D.: Semantic Descriptions of Web Services Security Constraints. In: SOSE 2006, pp. 81–84. IEEE Computer Society, Los Alamitos (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Michael Menzel
    • 1
  • Christian Wolter
    • 2
  • Christoph Meinel
    • 1
  1. 1.Hasso-Plattner-InstituteUniversity of PotsdamGermany
  2. 2.SAP Research, CEC KarlsruheGermany

Personalised recommendations