From ASTD Access Control Policies to WS-BPEL Processes Deployed in a SOA Environment

  • Michel Embe Jiague
  • Marc Frappier
  • Frédéric Gervais
  • Régine Laleau
  • Richard St-Denis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6724)


Controlling access to Web services of public agencies as well as private corporations primarily depends on specification and deployment of functional security rules in order to satisfy strict regulations imposed by governments, particularly in financial and health sectors. This paper focuses on one aspect of the SELKIS and EB3SEC projects related to security of Web-based information systems, namely the automatic transformation of security rules, instantiated from security rule patterns written in a graphical notation with a denotational semantics close to statecharts, into WS-BPEL (or BPEL for short) processes. The latter are executed by a BPEL engine integrated into a policy decision point, a component of a policy enforcement manager similar to the one proposed in the XACML standard.


Access control policy security rule policy decision point ASTD EB3SEC BPEL transformation SOA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Basin, D.A., Burri, S.J., Karjoth, G.: Dynamic enforcement of abstract separation of duty constraints. In: 14th European Symposium on Research in Computer Security, pp. 250–267 (2009)Google Scholar
  2. 2.
    Konopacki, P., Frappier, M., Laleau, R.: Expressing access control policies with an event-based approach. Technical Report TR-LACL-2010-6, LACL (Laboratory of Algorithms, Complexity and Logic), University of Paris-Est (2010)Google Scholar
  3. 3.
    Konopacki, P., Frappier, M., Laleau, R.: Modélisation de politiques de sécurité à l’aide d’une algèbre de processus. RSTI - Ingénierie des systèmes d’information 15(3), 113–136 (2010)Google Scholar
  4. 4.
    Yao, W., Moody, K., Bacon, J.: A model of OASIS role-based access control and its support for active security. In: 6th ACM Symposium on Access Control Models and Technologies, pp. 171–181 (2001)Google Scholar
  5. 5.
    Harel, D.: Statecharts: A visual formalism for complex systems. Science of Computer Programming 8(3), 231–274 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Milhau, J., Frappier, M., Gervais, F., Laleau, R.: Systematic translation rules from astd to event-B. In: Méry, D., Merz, S. (eds.) IFM 2010. LNCS, vol. 6396, pp. 245–259. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Abrial, J.R.: Modeling in Event-B. Cambridge University Press, Cambridge (2010)CrossRefzbMATHGoogle Scholar
  8. 8.
    Frappier, M., Gervais, F., Laleau, R., Fraikin, B.: Algebraic state transition diagrams. Technical Report 24, Département d’informatique, Université de Sherbrooke (2008)Google Scholar
  9. 9.
    OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS (2005)Google Scholar
  10. 10.
    Embe Jiague, M., Frappier, M., Gervais, F., Konopacki, P., Milhau, J., Laleau, R., St-Denis, R.: Model-driven engineering of functional security policies. In: International Conference on Enterprise Information Systems, vol. 3, pp. 374–379 (2010)Google Scholar
  11. 11.
    Frappier, M., Gervais, F., Laleau, R., Fraikin, B., St-Denis, R.: Extending statecharts with process algebra operators. Innovations in Systems and Software Engineering 4(3), 285–292 (2008)CrossRefGoogle Scholar
  12. 12.
    OASIS: Web Services Business Process Execution Language Version 2.0. OASIS (2007)Google Scholar
  13. 13.
    Aït-Sadoune, I., Aït-Ameur, Y.: Stepwise design of BPEL Web services compositions, an Event B refinement based approach. In: 8th ACIS International Conference on Software Engineering Research, Management and Applications, pp. 51–68 (2010)Google Scholar
  14. 14.
    Abrial, J.R., Butler, M., Hallerstede, S., Hoang, T.S., Mehta, F., Voisin, L.: Rodin: an open toolset for modelling and reasoning in Event-B. Software Tools for Technology Transfer 12(6), 447–466 (2010)CrossRefGoogle Scholar
  15. 15.
    INCITS: Role Base Access Control. ANSI (2004)Google Scholar
  16. 16.
    Sohr, K., Mustafa, T., Bao, X., Ahn, G.J.: Enforcing role-based access control policies in Web services with UML and OCL. In: 24th Annual Computer Security Applications Conference, pp. 257–266 (2008)Google Scholar
  17. 17.
    Kolundžija, M.: Security types for sessions and pipelines. In: Bruni, R., Wolf, K. (eds.) WS-FM 2008. LNCS, vol. 5387, pp. 175–190. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Boreale, M., Bruni, R., Nicola, R., Loreti, M.: Sessions and pipelines for structured service programming. In: 10th IFIP WG 6.1 International Conference on Formal Methods for Open Object-Based Distributed Systems, pp. 19–38 (2008)Google Scholar
  19. 19.
    Hassan, W., Slimani, N., Adi, K., Logrippo, L.: Secrecy UML method for model transformations. In: 2nd International Conference ABZ Short Papers, pp. 16–21 (2010)Google Scholar
  20. 20.
    Li, N., Wang, Q.: Beyond separation of duty: an algebra for specifying high-level security policies. In: 13th ACM Conference on Computer and Communications Security, pp. 356–369 (2006)Google Scholar
  21. 21.
    Hoare, C.A.R.: Communicating sequential processes. Communications of the ACM 21(8), 666–677 (1978)CrossRefzbMATHGoogle Scholar
  22. 22.
    Paci, F., Bertino, E., Crampton, J.: An access-control framework for WS-BPEL. International Journal of Web Services Research 5(3), 20–43 (2008)CrossRefGoogle Scholar
  23. 23.
    Jajodia, S., Samarati, P., Sapino, M.L., Subrahmanian, V.S.: Flexible support for multiple access control policies. ACM Transactions on Database Systems 26(2), 214–260 (2001)CrossRefzbMATHGoogle Scholar
  24. 24.
    Wong, P.Y.H., Gibbons, J.: A process-algebraic approach to workflow specification and refinement. In: Software Composition, pp. 51–65 (2007)Google Scholar
  25. 25.
    van der Aalst, W.M.P.: The application of Petri nets to workflow management. The Journal of Circuits, Systems and Computers 8(1), 21–66 (1998)CrossRefGoogle Scholar
  26. 26.
    Massuthe, P., Reisig, W., Schmidt, K.: An operating guideline approach to the SOA. Annals of Mathematics, Computing & Teleinformatics 1, 35–43 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Michel Embe Jiague
    • 1
    • 2
  • Marc Frappier
    • 1
  • Frédéric Gervais
    • 2
  • Régine Laleau
    • 2
  • Richard St-Denis
    • 1
  1. 1.GRIL, Département d’informatiqueUniversité de SherbrookeSherbrookeCanada
  2. 2.LACL, IUT Sénart Fontainebleau, Département InformatiqueUniversité Paris-EstFontainebleauFrance

Personalised recommendations