Abstract
Role based access control promises a more flexible form of access control for distributed systems. Rather than basing access solely on the identity of a principal the decision also takes into account the roles that the principal currently holds. We present a distributed architecture that supports the OASIS role based access control model. The OASIS model is based on certificates held by the client and validated by credential records held by servers. We wish to replicate and distribute the credential records to support high availability and reduce latency for certificate validation. Protocols are presented for maintaining replicated credential databases and coping with both server and network failures.
The work described here was undertaken while John H. Hine was a visiting research fellow in the Computer Laboratory, Cambridge University. The work was supported by the U.K. Engineering and Physical Sciences Research Council, grant no. GR/M37592.
Walt Yao was supported by the U.K. Engineering and Physical Sciences Research Council, grant no. GR/M75686.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
L. Alvisi, B. Hoppe, and K. Marzullo. Non-blocking and orphan-free message logging protocols. 23rd Int. Conf. on Fault-Tolerant Computing (FTCS-23), pages 145–154, 1993. 115, 119
David F. Ferraiolo, John F. Barkley, and D. Richard Kuhn. A role-based access control model and reference implementation within a corporate intranet. ACM Transactions on Information and System Security, 2(1):34–64, Feb 1999. 104
S. Floyd, V. Jacobson, and S. McCanne. A Reliable Multicast Framework for Light-weight Sessions and Application Level Framing. In Proc. of the 1995 ACM SIGCOMM Conference, pages 342–356, Cambridge, MA, Aug 1995. 113
Richard Hayton. OASIS An Open Architecture for Secure Interworking Services. PhD thesis, Computer Laboratory, University of Cambridge, Mar 1995. 104, 105
Richard Hayton, Jean Bacon, and Ken Moody. Oasis: Access control in an open, distributed environment. In Proc. of IEEE Symposium on Security and Privacy, pages 3–14, Oakland, CA, May 1998. IEEE. 104, 105, 106
D. B. Johnson and W. Zwaenepoel. Sender-based message logging. 17th Int. Symp. on Fault-Tolerant Computing, pages 14–19, 1987. 119
B. W. Lampson. Protection. In Proc. Fifth Princeton Symposium on Information Sciences and Systems, pages 437–443, March 1971. reprinted in Operating Systems Review, 8, 1 (Jan. 1974) pp. 417–429. 104
Tobin J. Lehman and Michael J. Carey. A recovery algorithm for a high-performance memory-resident database system. In Proceedings of ACM SIGMOD Annual Conference on Management of Data, San Francisco, May 1987. ACM. 113
R.M. Needham and M.D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, Dec 1978. 109
Matunda Nyanchama and Sylvia Osborn. The role graph model and conflict of interest. ACM Transactions on Information and System Security, 2(1):3–33, Feb 1999. 104
J. H. Saltzer. Naming and binding of objects. In R. Bayer, R.M. Graham, and G. Seegmuller, editors, Operating Systems, An Advanced Course, pages 99–208. Springer-Verlag, Berlin, 1979. 104
Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, Feb 1996. 104
F. B. Schneider. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Computing Surveys, 22(4):299–319, Dec 1990. 115
J.G. Steiner, C. Neuman, and J.I. Schiller. Kerberos: An authentication service for open network systems. In USENIX, Dallas, TX, 1988. Uniforum. 107
Gene Tsudik. Message authentication with one-way hash functions. In IEEE Infocom 1992. IEEE Press, May 1992. 108
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hine, J.H., Yao, W., Bacon, J., Moody, K. (2000). An Architecture for Distributed OASIS Services. In: Sventek, J., Coulson, G. (eds) Middleware 2000. Middleware 2000. Lecture Notes in Computer Science, vol 1795. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45559-0_6
Download citation
DOI: https://doi.org/10.1007/3-540-45559-0_6
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-67352-1
Online ISBN: 978-3-540-45559-2
eBook Packages: Springer Book Archive