Building a Distributed Semantic-aware Security Architecture

  • Jan Kolter
  • Rolf Schillinger
  • Günther Pernul
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


Enhancing the service-oriented architecture paradigm with semantic components is a new field of research and goal of many ongoing projects. The results lead to more powerful web applications with less development effort and better user support. While some of these advantages are without doubt novel, challenges and opportunities for the security arise. In this paper we introduce a security architecture built in a semantic service-oriented architecture. Focusing on an attributebased access control approach, we present an access control model that facilitates semantic attribute matching and ontology mapping. Furthermore, our security architecture is capable of distributing the Policy Decision Point (PDP) from the service provider to different locations in the platform, eliminating the need of disclosing privacy-sensitive user attributes to the service provider. With respect to privacy preferences of the user and trust settings of the service provider, our approach allows for dynamically selecting a PDP. With more advanced trusted computing technology in the future it is possible to place the PDP on user side, reaching a maximum level of privacy.


Access Control Access Control Model Security Architecture Policy Decision Point Privacy Preference 


  1. 1.
    MacKenzie, C. M. and Laskey, K. and McCabe, F. and Brown, P. F. and Metz, R. Reference Model for Service Oriented Architecture 1.0. OASIS Standard, October 2006.Google Scholar
  2. 2.
    J. Lopez, R. Oppliger, and G. Pernul. Authentication and Authorization Infrastructures (AAIs): A Comparative Survey. Computers & Security, 23(7):578–590, 2004.CrossRefGoogle Scholar
  3. 3.
    R. Sandhu and P. Samarati. Access Control: Principle and Practice. Communications Magazine, IEEE, 32(9):40–48, 1994.CrossRefGoogle Scholar
  4. 4.
    E.B. Fernandez and G. Pernul. Patterns for Session-Based Access Control. In Proc. of the Pattern Languages of Programming conference (PLoP’ 06), October 2006.Google Scholar
  5. 5.
    C.J. McCollum, J.R. Messing, and L. Notargiacomo. Beyond the Pale of MAC and DAC — Defining New Forms of Access Control. In IEEE Symposium on Security and Privacy, pages 190–200, 1990.Google Scholar
  6. 6.
    ITU-T Recommendation. X.509: The Directory — Public Key and Attribute Certificate Frameworks, March 2000.Google Scholar
  7. 7.
    S. Farrell and R. Housley. RFC3281: An Internet Attribute Certificate Profile for Authorization. Internet RFCs, 2002.Google Scholar
  8. 8.
    W. Johnston, S. Mudumbai, and M. Thompson. Authorization and Attribute Certificates for Widely Distributed Access Control. In Proc. of the 7th Workshop on Enabling Technologies (WETICE’ 98), pages 340–345, Washington, DC, United States, 1998. IEEE Computer Society.Google Scholar
  9. 9.
    J.S. Park and R. Sandhu. Smart Certificates: Extending X.509 for Secure Attribute Services on the Web. In Proceedings of the 22nd National Information Systems Security Conference (NISSC), October 1999.Google Scholar
  10. 10.
    D. Chadwick, A. Otenko, and E. Ball. Role-based Access Control with X.509 Attribute Certificates. IEEE Internet Computing, 7(2):62–69, 2003.CrossRefGoogle Scholar
  11. 11.
    N.R. Adam, V. Atluri, E. Bertino, and E. Ferrari. A Content-based Authorization Model for Digital Libraries. IEEE Transactions on Knowledge and Data Engineering, 14(2):296–315, 2002.CrossRefGoogle Scholar
  12. 12.
    T. Moses, extensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard, February 2005.Google Scholar
  13. 13.
    T. Priebe, W. Dobmeier, and N. Kamprath. Supporting Attribute-based Access Control with Ontologies. In Proc. of the 1st International Conference on Availability, Reliability and Security (ARES’ 06), pages 465–472, Los Alamitos, CA, United States, 2006. IEEE Computer Society.Google Scholar
  14. 14.
    R. Baeza-Yates and B. Ribeiro-Neto. Modern Information Retrieval. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, United States, 1999.Google Scholar
  15. 15.
    T. Berners-Lee, J. Hendler, and O. Lassila. The Semantic Web. Scientific American, May 2001.Google Scholar
  16. 16.
    P. Bednar, S. Diirbeck, J. Hreno, M. Mach, R. Lukasz, and R. Schillinger. AccesseGov Platform Architecture. Access-eGov deliverable D3.1, October 2006.Google Scholar
  17. 17.
    R. Klischewski, S. Ukena, and D. Wozniak. User Requirements Analysis & Development/Test Recommendation. Access-eGov deliverable D2.2, July 2006.Google Scholar
  18. 18.
    T. Priebe, W. Dobmeier, B. Muschall, and G. Pernul. ABAC — Ein Referenzmodell für attributbasierte Zugriffskontrolle. In Proc. of the 2nd Jahrestagung Fachbereich Sicherheit der Gesellschaft für Informatik (Sicherheit’ 05), pages 285–296, 2005.Google Scholar
  19. 19.
    L. Cranor, M. Langheinrich, and M. Marchiori. A P3P Preference Exchange Language 1.0 (APPEL 1.0). World Wide Web Consortium Working Draft, April 2002.Google Scholar
  20. 20.
    B. Balacheff, L. Chen, S. Pearson, D. Plaquin, and G. Proudler. Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River, NJ, United States, 2002.Google Scholar
  21. 21.
    T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-based Platform for Trusted Computing. In Proc. of the nineteenth ACM symposium on Operating systems principles (SOSP’ 03), pages 193–206, New York, NY, United States, 2003. ACM Press.Google Scholar
  22. 22.
    R. Sandhu and X. Zhang. Peer-to-Peer Access Control Architecture Using Trusted Computing Technology. In Proc. of the tenth ACM symposium on Access control models and technologies, pages 147–158, New York, NY, United States, 2005. ACM Press.Google Scholar
  23. 23.
    J.A. Montenegro and F. Moya. A Practical Approach of X.509 Attribute Certificate Framework as Support to Obtain Privilege Delegation. In Proc. of the 1st European PKI Workshop (EuroPKI’ 04), pages 160–172. Lecture Notes in Computer Science (LNCS), 2004.Google Scholar
  24. 24.
    John Hughes, Eve Maler, and Rob Philpott. Technical Overview of the OASIS Security Assertion Markup Language (SAML), Version 1.1, May 2004.Google Scholar
  25. 25.
    D. Roman, H. Lausen, and U. Keller. Web Service Modeling Ontology (WSMO). WSMO deliverable D2vl.3, October 2006.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Jan Kolter
    • 1
  • Rolf Schillinger
    • 1
  • Günther Pernul
    • 1
  1. 1.Department of Information SystemsUniversity of RegensburgRegensburg

Personalised recommendations