Trust-Based Security Model and Enforcement Mechanism for Web Service Technology

  • Seokwon Yang
  • Herman Lam
  • Stanley Y. W. Su
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2444)


The emerging Web service technology has enabled the development of Internet-based applications that integrate distributed and heterogeneous systems and processes which are owned by different organizations. Compared to centralized systems and client-server environments, the Web service environment is much more dynamic and security for such an environment poses unique challenges. For example, an organization (e.g., a service provider or a service broker) cannot predetermine the users of its resources and fix their access privileges. Also, service providers come and go. The users of services must have some assurances about the services and the organizations that provide the services. Thus, the enforcement of security constraints cannot be static and tightly coupled. The notion of trust agreement must be established to delegate the responsibility of certification of unknown users, services, and organizations. In this paper, we describe a Trust-based Security Model (TSM) that incorporate the traditional security concepts (e.g., roles, resources, operations) with new security concepts that are specific to the Web service environment. The security concepts of TSM are then applied to the general Web service model to include security considerations. Finally, an event-driven, rule-based approach to the enforcement of security in a Web service environment is described.


Service Provider Service Requestor Service Registry Trust Management Certificate Authority 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Curbera, Francisco, et al., “Unraveling the Web Services Web: An Introduction to SOAP, WSDL, and UDDI,” IEEE Internet Computing, March/April, 2002.Google Scholar
  2. 2.
    Vaughan-Nichols, Steven, “Web Services: Beyond the Hype,” IEEE Computer, February 2002, Vol. 35, No. 2, pp. 18–21.Google Scholar
  3. 6.
    Blaze, Matt, Feigenbaum, Joan, and Lacy, Jack, “Decentralized Trust Management,” Proceedings 1996 IEEE Symposium on Security and Privacy, May 1996.Google Scholar
  4. 8.
    Blaze, Matt, Feigenbaum, Joan, and Lacy, Jack, “Trust management for public-key infra-structures,” Cambridge 1998 Security Protocols International Workshop, England, 1998.Google Scholar
  5. 9.
    Chu, Y., Feigenbaum, J., LaMacchia, B., Resnick, B, and Strauss, M., “REFEREE: Trust management for Web applications,” The World Wide Web Journal, 1997.Google Scholar
  6. 10.
    Herzberg, A., Mass, Y. and Mihaeli, J., “Access Control Meets Public Key Infrastructure,” IEEE Symposium on Security and Privacy 2000.Google Scholar
  7. 11.
    Czerwinski, Steven E., Zhao, Ben Y., Hodes, Todd, Joseph, Anthony D., and Katz, Randy, “An Architecture for a Secure Service Discovery Service,” Fifth Annual International Conference on Mobile Computing and Networks (MobiCOM’ 99), Seattle, WA, August 1999.Google Scholar
  8. 12.
    Johnston, W., Mudumbai, S., and Thompson, M., “Authorization and attribute certificates for widely distributed access control,” IEEE 7th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises — WETICE, 1998, pp. 340–345.Google Scholar
  9. 13.
    Nyanchama, M., and Osborn, S., “The Role Graph Model and Conflict of Interest,” ACM Transactions on Information and System Security, 2(1), February 1999, pp. 3–33.CrossRefGoogle Scholar
  10. 14.
    Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D. and Chandramouli R.. “Proposed NIST Standard for Role-Based Access Control,” ACM TISSEC, Volume 4, No. 3, August 2001.Google Scholar
  11. 15.
    Hildmann, T. and Barholdt, J., “Managing trust between collaborating companies using outsourced role based access control,” Proc. of 4th. ACM Workshop on Role-based Access Control, Oct. 28–29, 1999, Fairfax, VA, USA, pp. 105–111.Google Scholar
  12. 16.
    Hayton, R. J., Bacon, J. M., and Moody, K., “Access control in an open distributed environment,” IEEE Symposium on Security and Privacy, May 1998, pp. 3–14.Google Scholar
  13. 17.
    Winslett, M., Ching, N., Jones, N. and Slepchin, I., “Assuring security and privacy for digital library transactions on the web: client and server security policies,” Proceedings of ADL’97, Washington, DC, May 1997.Google Scholar
  14. 18.
    Bertino, Elisa, and Ferrari, E., “Data Security,” Proc. of 22nd IEEE Annual International Computer Software & Application Conference (COMPSAC), Vienna (Austria), August 19–21, 1998, IEEE Computer Society Press.Google Scholar
  15. 19.
    Su, S.Y.W., Lam, H., Arroyo, J., Yu, T. F., and Yang, Z., “An Extensible Knowledge Base Management System for Supporting Rule-based Interoperability among Heterogeneous Systems,” Proc. of the Conf. on Information and Knowledge Management, Baltimore, MD, Nov.28–Dec.2, 1995, pp. 1–10.Google Scholar
  16. 20.
    Su, S.Y.W., Lam, H., Lee, M., Bai, S., and Shen, Z., “An Information Infrastructure and Eservices for Supporting Internet-based Scalable E-business Enterprises,” Proceedings of the 5th International Enterprise Distributed Object Conference (EDOC 2001), Seattle, WA, Sept.4–7, 2001, pp. 2–13.Google Scholar
  17. 21.
    Lee, M.S., Su, S.Y.W., and Lam, H., “A Web-based Knowledge Network for Supporting Emerging Internet Applications,” WWW Journal, Vol. 4, No. 1/2, 2001, pp. 121–140.zbMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Seokwon Yang
    • 1
  • Herman Lam
    • 1
  • Stanley Y. W. Su
    • 1
  1. 1.Database Systems Research and Development CenterUniversity of FloridaGainesville

Personalised recommendations