Towards a MOF/QVT-Based Domain Architecture for Model Driven Security

  • Michael Hafner
  • Muhammad Alam
  • Ruth Breu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4199)


The Sectet-framework realizes an extensible domain architecture for the collaborative development and management of security-critical, inter-organizational workflows. Models integrate security requirements at the abstract level and are rendered in a visual language based on UML 2.0. The models form the input for a chain of integrated tools that transform them into artefacts configuring security components of a Web services-based architecture. Based on findings of various projects, this contribution has three objectives. First, we detail the MOF based metamodels defining a domain specific language for the design of inter-organizational workflows. The language supports various categories of security patterns. We then specify model-to-model transformations based on the MDA standard MOF-QVT. The mappings translate platform independent models into platform specific artefacts targeting the reference architecture. Third, we exemplarily show how model-to-code transformation could be implemented with an MDA-framework like openArchitectureWare.


Security Requirement Domain Architecture Reference Architecture Domain Specific Language Model Drive Architecture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Mukerji, I., Miller, J.: Overview and guide to OMG’s architecture (2003)Google Scholar
  2. 2.
    Newcomer, E., Lomow, G.: Understanding Service-Oriented Architecture (SOA) with Web Services. Addison Wesley, Reading (2005)Google Scholar
  3. 3.
    Weerawarana, S., et al.: Web Services Platform Architecture: SOAP, WSDL, WS-Policy, WS-Addressing, WS-BPEL, WS-Reliable Messaging, and More. Prentice Hall PTR, Englewood Cliffs (2005)Google Scholar
  4. 4.
    Aalst, W.M.P.v.d.: Formalization and Verification of Event-driven Process Chains. Information and Software Technology 41, 639–650 (1999)CrossRefGoogle Scholar
  5. 5.
    Clark, J.: XSL Transformations (XSLT) Version 1.0, World Wide Web Consortium, W3C Recommendation November 16 (1999)Google Scholar
  6. 6.
    OMG, MOF QVT Final Adopted Specification (2005)Google Scholar
  7. 7.
    A. X12, ASC X12 Reference Model for XML Design, ANSI ASC X12C Communications and Controls Subcommittee, Technical Report Type II - ASC X12C/TG3/2002 (July 2002)Google Scholar
  8. 8.
    Godik, S., Moses, T.: eXtensible Access Control Markup Language (XACML) Version 1.0 3 (2003)Google Scholar
  9. 9.
    Anderson, A.: XACML Profile for Role Based Access Control (RBAC), OASIS (2004)Google Scholar
  10. 10.
    Harmon, P.: The OMG’s Model Driven Architecture and BPM, Business Process Trends, Newsletter (May 2004),
  11. 11.
    Atluri, V., Huang, W.K.: Enforcing Mandatory and Discretionary Security in Workflow Management Systems. In: Proceedings of the 5th European Symposium on Research in Computer Security (1996)Google Scholar
  12. 12.
    Gudes, E., Olivier, M., Riet, R.v.d.: Modelling, Specifying and Implementing Workflow Security in Cyberspace. Journal of Computer Security 7(4), 287–315 (1999)Google Scholar
  13. 13.
    Huang, W.K., Atluri, V.: SecureFlow: A secure Web-enabled Workflow Management System. In: ACM Workshop on Role-Based Access Control 1999, pp. 83–94 (1999)Google Scholar
  14. 14.
    Wainer, J., Barthelmess, P., Kumar, A.: W-RBAC A Workflow Security Model Incorporating Controlled Overriding of Constraints. International Journal of Cooperative Information Systems 12(4), 455–485 (2003)CrossRefGoogle Scholar
  15. 15.
    Hall, A., Chapman, R.: Correctness by Construction: Developing a Commercial Secure System. IEEE Software 19 (2002)Google Scholar
  16. 16.
    Schumacher, M.: Security Engineering with Patterns. In: Origins, Theoretical Models, and New Applications, Springer, Berlin (2003)Google Scholar
  17. 17.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: 5th International Conference on the Unified Modeling Language (2002)Google Scholar
  18. 18.
    Jürjens, J.: Secure Systems Development with UML. Springer Academic Publishers, Hardcover (2004)Google Scholar
  19. 19.
    Mantell, K.: From UML to BPEL, IBM-developerWorks (2003)Google Scholar
  20. 20.
    IBM, Business Process Execution Language for Web Services JavaTM Run Time (BPWS4J), IBM (2002),
  21. 21.
    Jablonski, S., Bussler, C.: Workflow Management: Concepts, Architecture and Implementation: Int. Thompson Publishers (1996)Google Scholar
  22. 22.
    Edmond, D., Hofstede, A.H.M.t.: A Reflective Infrastructure for Workflow Adaptability. Data and Knowledge Engineering 34, 271–304 (2000)CrossRefMATHGoogle Scholar
  23. 23.
    Eder, J., Gruber, W.: A Meta Model for Structured Workflows Supporting Workflow Transformations. In: Manolopoulos, Y., Návrat, P. (eds.) ADBIS 2002. LNCS, vol. 2435, Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Müller, R.: Event-Oriented Dynamic Adaptation of Workflows, University of Leipzig, Germany (2002) Google Scholar
  25. 25.
    Hafner, M., Weber, B., Breu, R.: Model Driven Security for Inter-Organizational Workflows in E-Government. In: Mitrakas, A., Hengeveld, P., Polemi, D., Gamper, J. (eds.) Secure E-Government Web Services, Idea Group Inc., USA (2006)Google Scholar
  26. 26.
    Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns. Integrating Security and Systems Engineering. John Wiley and Sons Ltd, Chichester (2006)Google Scholar
  27. 27.
    Hafner, M., Breu, R., Agreiter, B., Nowak, A.: Sectet – An Extensible Framework for the Realization of Secure Inter-Organizational Workflows. In: Fourth International Workshop on Security in Information System (WOSIS 2006), Paphos, Cyprus (2006)Google Scholar
  28. 28.
    Hafner, M., Breu, R., Weber, B.: Model Driven Security for Inter-Organizational Workflows in E-Governement. Idea Group, Inc., USA (to appear, 2006)Google Scholar
  29. 29.
    Hafner, M., Breu, R., Breu, M., Nowak, A.: Modeling Inter-organizational Workflow Security in a Peer-to-Peer Environment. In: Proceedings of ICWS (2005)Google Scholar
  30. 30.
    Alam, M., Breu, R., Hafner, M.: Modeling permissions in a (U/X)ML world. In: ARES (accepted, 2006)Google Scholar
  31. 31.
    Alam, M., Breu, R., Breu, M.: Model Driven Security for Web Services (MDS4WS). In: INMIC 2004 IEEE 8th International Multi topic Conference. Digital Object Identifier 10.1109/INMIC.2004.1492930, pp. 498–505 (2004)Google Scholar
  32. 32.
    Hofstede, A.H.M.t., Dumas, M.: UML Activity Diagrams as a Workflow Specification Language. In: Gogolla, M., Kobryn, C. (eds.) UML 2001. LNCS, vol. 2185, Springer, Heidelberg (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Michael Hafner
    • 1
  • Muhammad Alam
    • 1
  • Ruth Breu
    • 1
  1. 1.Institut für InformatikUniversität InnsbruckInnsbruck

Personalised recommendations