Advertisement

Incorporating Security Requirements into Service Composition: From Modelling to Execution

  • Andre R. R. Souza
  • Bruno L. B. Silva
  • Fernando A. A. Lins
  • Julio C. Damasceno
  • Nelson S. Rosa
  • Paulo R. M. Maciel
  • Robson W. A. Medeiros
  • Bryan Stephenson
  • Hamid R. Motahari-Nezhad
  • Jun Li
  • Caio Northfleet
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5900)

Abstract

Despite an increasing need for considering security requirements in service composition, the incorporation of security requirements into service composition is still a challenge for many reasons: no clear identification of security requirements for composition, absence of notations to express them, difficulty in integrating them into the business processes, complexity of mapping them into security mechanisms, and the complexity inherent to specify and enforce complex security requirements. We identify security requirements for service composition and define notations to express them at different levels of abstraction. We present a novel approach consisting of a methodology, called Sec-MoSC, to incorporate security requirements into service composition, map security requirements into enforceable mechanisms, and support execution. We have implemented this approach in a prototype tool by extending BPMN notation and building on an existing BPMN editor, BPEL engine and Apache Rampart. We showcase an illustrative application of the Sec-MoSC toolset.

Keywords

Business Process Service Composition Security Requirement Composite Service Configuration File 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Apache Software Foundation (2008), Apache Rampart – Axis2 Security Model, http://ws.apache.org/rampart/ (last visit at May 3, 2009)
  2. 2.
    Apache Software Foundation. Apache Orchestration Director Engine (ODE), http://ode.apache.org/ (last visit at May 3, 2009)
  3. 3.
    Basin, D., et al.: Model driven security: From UML models to access control infrastructures, ACM Trans. Software Eng. Methodology 15(1), 39–91 (2006)Google Scholar
  4. 4.
    Carminati, B., Ferrari, E., Hung, P.C.K.: Security Conscious Web Service Composition. In: Proc. International Conference on Web Services ICWS 2006, pp. 489–496 (2006)Google Scholar
  5. 5.
    Charfi, A., Mezini, M.: Using aspects for security engineering of Web service compositions. In: Proc. IEEE International Conference on Web Services ICWS 2005, pp. 59–66 (2005)Google Scholar
  6. 6.
    Chollet, S., Lalanda, P.: Security Specification at Process Level. In: Proc. IEEE International Conference on Services Computing (SCC 2008), pp. 165–172 (2008)Google Scholar
  7. 7.
    Eclipse Foundation (2008), The BPMN Modeler, http://www.eclipse.org/bpmn
  8. 8.
    Garcia, D.Z.G., Felgar de Toledo, M.B.: Ontology-Based Security Policies for Supporting the Management of Web Service Business Processes. In: Proc. IEEE International Conference on Semantic Computing, pp. 331–338 (2008)Google Scholar
  9. 9.
    Han, J., Kowalczyk, R., Khan, K.M.: Security-Oriented Service Composition and Evolution. In: Proc. 13th Asia Pacific Software Engineering Conference APSEC 2006 (2006)Google Scholar
  10. 10.
    Menzel, M., Homas, I., Meinel, C.: Security Requirements Specification in Service-Oriented Business Process Management. In: Proc. ARES 2009 (2009)Google Scholar
  11. 11.
    Neubauer, T., Heurix, J.: Defining Secure Business Processes with Respect to Multiple Objectives. In: Proc. ARES 2008, pp. 187–194 (2008)Google Scholar
  12. 12.
    Neubauer, T., Heurix, J.: Objective Types for the Valuation of Secure Business Processes. In: Proc. Seventh IEEE/ACIS International Conference on Computer and Information Science ICIS 2008, pp. 231–236 (2008)Google Scholar
  13. 13.
    Ouyang, C., et al.: Translating BPMN to BPEL (2006), http://code.google.com/p/bpmn2bpel/ (last visit: May 10, 2009)
  14. 14.
    Rodriguez, A., Fernández-Medina, E., Piattini, M.: A BPMN Extension for the Modeling of Security Requirements in Business Processes. IEICE - Trans. Inf. Syst. E90-D(4), 745–752 (2007)Google Scholar
  15. 15.
    Rosa, N.S.: NFi: An Architecture-based Approach for Treating Non-Functional Properties of Dynamic Distributed Systems, PhD thesis, Centre of Informatics, Federal University of Pernambuco (2001)Google Scholar
  16. 16.
    Song, H., Sun, Y., Sun, Y., Yin, Y.: Dynamic Weaving of Security Aspects in Service Composition. In: Proc. Second IEEE International Workshop Service-Oriented System Engineering SOSE 2006, pp. 189–196 (2006)Google Scholar
  17. 17.
    Tong, K.K.L.: Developing Web Services with Apache Axis2, TipTec Development (2008)Google Scholar
  18. 18.
    Wang, X., Zhang, Y., Shi, H.: Access Control for Human Tasks in Service Oriented Architecture. In: Proc. of ICEBE 2008, pp. 455–460 (2008)Google Scholar
  19. 19.
    White, S.A.: Introduction to BPMN, Technical report, IBM Corporation (2004)Google Scholar
  20. 20.
    Phan, T., Han, J., Schneider, J.G., Wilson, K.: Quality-Driven Business Policy Specification and Refinement for Service-Oriented Systems. In: Bouguettaya, A., Krueger, I., Margaria, T. (eds.) ICSOC 2008. LNCS, vol. 5364, pp. 5–21. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Andre R. R. Souza
    • 1
  • Bruno L. B. Silva
    • 1
  • Fernando A. A. Lins
    • 1
  • Julio C. Damasceno
    • 1
  • Nelson S. Rosa
    • 1
  • Paulo R. M. Maciel
    • 1
  • Robson W. A. Medeiros
    • 1
  • Bryan Stephenson
    • 2
  • Hamid R. Motahari-Nezhad
    • 2
  • Jun Li
    • 2
  • Caio Northfleet
    • 3
  1. 1.Centre of InformaticsFederal University of Pernambuco 
  2. 2.HP LabsPalo Alto
  3. 3.HPBrazil

Personalised recommendations