xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement

  • Gabriela Gheorghe
  • Stephan Neuhaus
  • Bruno Crispo
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 321)


Enforcing complex policies that span organizational domains is an open challenge. Current work on SOA policy enforcement splits security in logical components that can be distributed across domains, but does not offer any concrete solution to integrate this security functionality so that it works across security services for organization-wide policies. In this paper, we propose xESB, an enhanced version of an Enterprise Message Bus (ESB), where we monitor and enforce preventive and reactive policies, both for access control and usage control policies, and both inside one domain and between domains. In addition, we introduce indicators that help SOA administrators assess the effectiveness of their policies. Our performance measurements show that policy enforcement at the ESB level comes with only moderate penalties.


Policy Language Security Policy Usage Control Access Control Policy Policy Enforcement 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Zimmermann, O., Doubrovski, V., Grundler, J., Hogg, K.: Service-oriented architecture and business process choreography in an order management scenario: rationale, concepts, lessons learned. In: OOPSLA 2005: Companion to the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, pp. 301–312. ACM, New York (2005)CrossRefGoogle Scholar
  2. 2.
    UK Government: The privacy and electronic communications (ec directive) regulations (June 2003),
  3. 3.
    European Parliament: Directive 95/46/ec of the european parliament and of the council (June 2009),
  4. 4.
    Sun, Java Community Process Program: Sun JSR-000208 Java Business Integration (August 2005),
  5. 5.
    Pretschner, A., Hilty, M., Basin, D., Schaefer, C., Walter, T.: Mechanisms for usage control. In: Proc. ASIACCS 2008, pp. 240–244. ACM, New York (2008)CrossRefGoogle Scholar
  6. 6.
    Ueno, K., Tatsubori, M.: Early capacity testing of an enterprise service bus. In: ICWS 2006: Proceedings of the IEEE International Conference on Web Services, pp. 709–716. IEEE Computer Society, Los Alamitos (2006)CrossRefGoogle Scholar
  7. 7.
    Svirskas, A., Isachenkova, J., Molva, R.: Towards secure and trusted collaboration environment for european public sector. In: International Conference on Collaborative Computing: Networking, Applications and Worksharing, CollaborateCom 2007, November 2007, pp. 49–56 (2007)Google Scholar
  8. 8.
    Leune, K., van den Heuvel, W.J., Papazoglou, M.: Exploring a multi-faceted framework for soc: how to develop secure web-service interactions? In: Proc. 14th Intl. Workshop on Research Issues on Data Engineering, March 2004, pp. 56–61 (2004)Google Scholar
  9. 9.
    Maierhofer, A., Dimitrakos, T., Titkov, L., Brossard, D.: Extendable and adaptive message-level security enforcement framework. In: Networking and Services, ICNS 2006, pp. 72–72 (2006)Google Scholar
  10. 10.
    Goovaerts, T., De Win, B., Joosen, W.: Infrastructural support for enforcing and managing distributed application-level policies. Electron. Notes Theor. Comput. Sci. 197(1), 31–43 (2008)CrossRefGoogle Scholar
  11. 11.
    Lam, T., Minsky, N.: A collaborative framework for enforcing server commitments, and for regulating server interactive behavior in soa-based systems. In: Proceedings of the 5th International Conference on Collaborative Computing: Networking, Applications and Worksharing, November 2009, pp. 1–10 (2009)Google Scholar
  12. 12.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Backes, M., Pfitzmann, B., Schunter, M.: A toolkit for managing enterprise privacy policies. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 162–180. Springer, Heidelberg (2003)Google Scholar
  14. 14.
    Ribeiro, C., Zquete, A., Ferreira, P., Guedes, P.: Spl: An access control language for security policies with complex constraints. In: Proceedings of the Network and Distributed System Security Symposium, pp. 89–107 (1999)Google Scholar
  15. 15.
    Baiardi, F., Martinelli, F., Mori, P., Vaccarelli, A.: Improving grid services security with fine grained policies. In: Meersman, R., Tari, Z., Corsaro, A. (eds.) OTM-WS 2004. LNCS, vol. 3292, pp. 123–134. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Hilty, M., Pretschner, A., Basin, D., Schaefer, C., Walter, T.: A policy language for distributed usage control. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 531–546. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Povey, D.: Optimistic security: A new access control paradigm. In: Proceedings of 1999 New Security Paradigms Workshop, pp. 40–45. ACM Press, New York (1999)Google Scholar
  18. 18.
    Brunel, J., Cuppens, F., Cuppens, N., Sans, T., Bodeveix, J.P.: Security policy compliance with violation management. In: FMSE 2007, pp. 31–40. ACM, New York (2007)CrossRefGoogle Scholar
  19. 19.
    Irwin, K., Yu, T., Winsborough, W.H.: Assigning responsibility for failed obligations. IFIP Intl. Federation for Information Processing 263, 327–342 (2008)CrossRefGoogle Scholar
  20. 20.
    Irwin, K., Yu, T., Winsborough, W.H.: On the modeling and analysis of obligations. In: CCS 2006, pp. 134–143. ACM, New York (2006)CrossRefGoogle Scholar
  21. 21.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  22. 22.
    Katt, B., Zhang, X., Breu, R., Hafner, M., Seifert, J.P.: A general obligation model and continuity: enhanced policy enforcement engine for usage control. In: Proc. SACMAT 2008, pp. 123–132. ACM, New York (2008)CrossRefGoogle Scholar
  23. 23.
    Pretschner, A., Schütz, F., Schaefer, C., Walter, T.: Policy evolution in distributed usage control. In: 4th Intl. Workshop on Security and Trust Management (June 2008)Google Scholar
  24. 24.
    Forgy, C.: A network match routine for production systems. Working paper. Carnegie-Mellon University (1974)Google Scholar

Copyright information

© IFIP 2010

Authors and Affiliations

  • Gabriela Gheorghe
    • 1
  • Stephan Neuhaus
    • 1
  • Bruno Crispo
    • 1
  1. 1.Università degli Studi di TrentoTrentoItaly

Personalised recommendations