Enforcing UCON Policies on the Enterprise Service Bus

  • Gabriela Gheorghe
  • Paolo Mori
  • Bruno Crispo
  • Fabio Martinelli
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6427)


In enterprise applications, regulatory and business policies are shifting their semantic from access to usage control requirements. The aim of such policies is to constrain the usage of groups of resources based on complex conditions that require not only state-keeping but also automatic reaction to state changes. We argue that these policies instantiate usage control requirements that can be enforced at the infrastructure layer. Extending a policy language that we prove equivalent to an enhanced version of the UCON model, we build on an instrumented message bus to enact these policies.


Usage control model message bus policy enforcement SOA 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Backes, M., Pfitzmann, B., Schunter, M.: A toolkit for managing enterprise privacy policies. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 162–180. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Damianou, N., Dulay, N., Lupu, E., Sloman, M., Tonouchi, T.: Tools for domain-based policy management of distributed systems. In: NOMS, pp. 203–217 (2002)Google Scholar
  4. 4.
    Gheorghe, G., Neuhaus, S., Crispo, B.: xESB: An Enterprise Service Bus for access and usage control policy enforcement. In: 4th IFIP WG 11.11 International Conference on Trust Management (2010)Google Scholar
  5. 5.
    Goovaerts, T., Win, B.D., Joosen, W.: A flexible architecture for enforcing and composing policies in a service-oriented environment. In: Indulska, J., Raymond, K. (eds.) DAIS 2007. LNCS, vol. 4531, pp. 253–266. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Hoare, C.: Communicating sequential processes. Communications of the ACM 21(8), 666–677 (1978)CrossRefzbMATHGoogle Scholar
  7. 7.
    Katt, B., Zhang, X., Breu, R., Hafner, M., Seifert, J.: A general obligation model and continuity: enhanced policy enforcement engine for usage control. In: Proc. 13th ACM Symposium on Access Control Models and Technologies, SACMAT 2008, pp. 123–132. ACM, New York (2008)Google Scholar
  8. 8.
    Lam, T., Minsky, N.: A collaborative framework for enforcing server commitments, and for regulating server interactive behavior in soa-based systems. In: Proc. 5th Intl. Conf. on Collaborative Computing: Networking, Applications and Worksharing, pp. 1–10 (2009)Google Scholar
  9. 9.
    Maierhofer, A., Dimitrakos, T., Titkov, L., Brossard, D.: Extendable and adaptive message-level security enforcement framework. In: ICNS 2006, p. 72 (2006)Google Scholar
  10. 10.
    Martinelli, F., Mori, P.: On usage control for grid systems. In: Future Generation Computer Systems (to appear 2010)Google Scholar
  11. 11.
    Martinelli, F., Mori, P., Vaccarelli, A.: Towards continuous usage control on grid computational services. In: Proc. Intl. Conf. Autonomic and Autonomous Systems and International Conference on Networking and Services 2005, p. 82. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  12. 12.
    Park, J., Sandhu, R.: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1), 128–174 (2004)CrossRefGoogle Scholar
  13. 13.
    Pretschner, A., Hilty, M., Basin, D., Schaefer, C., Walter, T.: Mechanisms for usage control. In: Proc. of 2008 ACM Symposium on Information, Computer and Comm. Sec., ASIACCS 2008, pp. 240–244. ACM, New York (2008)CrossRefGoogle Scholar
  14. 14.
    Pretschner, A., Schütz, F., Schaefer, C., Walter, T.: Policy evolution in distributed usage control. In: 4th Intl. Workshop on Security and Trust Management (June 2008)Google Scholar
  15. 15.
    Ribeiro, C., Zúquete, A., Ferreira, P., Guedes, P.: Spl: An access control language for security policies with complex constraints. In: Proceedings of the Network and Distributed System Security Symposium, pp. 89–107 (1999)Google Scholar
  16. 16.
    Sun, Java Community Process Program: Sun JSR-000208 Java Business Integration,
  17. 17.
    Svirskas, A., Isachenkova, J., Molva, R.: Towards secure and trusted collaboration environment for european public sector. In: Intl. Conf. on Collaborative Computing: Networking, Applications and Worksharing, pp. 49–56 (November 2007)Google Scholar
  18. 18.
    Verhanneman, T., Piessens, F., Win, B.D., Joosen, W.: Uniform application-level access control enforcement of organizationwide policies. In: ACSAC 2005, pp. 431–440. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  19. 19.
    Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. on Information and System Security, 351–387 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Gabriela Gheorghe
    • 1
  • Paolo Mori
    • 2
  • Bruno Crispo
    • 1
  • Fabio Martinelli
    • 2
  1. 1.University of TrentoItaly
  2. 2.IIT CNRPisaItaly

Personalised recommendations