Scalable Authorization Middleware for Service Oriented Architectures
- 663 Downloads
The correct deployment and enforcement of expressive attribute-based access control (ABAC) policies in large distributed systems is a significant challenge. The enforcement of such policies requires policy-dependent collaborations between many distributed entities. In existing authorization systems, such collaborations are static and must be configured and verified manually by administrators. This approach does not scale to large and more dynamic application infrastructures in which frequent changes to policies and applications occur. As such, configuration mistakes or application changes might suddenly make policies unenforceable, which typically leads to severe service disruptions.
We present a middleware for distributed authorization. The middleware provides a single administration point that enables the configuration and reconfiguration of application- and policy-dependent interactions between policy enforcement points (PEPs), policy decision points (PDPs) and policy information points (PIPs). Using lifecycle and dependency management, the architecture guarantees that configurations are consistent with respect to deployed policies and applications, and that they remain consistent as reconfigurations occur. Extensive performance evaluation shows that the runtime and configuration overhead of the middleware scale with the size and complexity of the infrastructure and that reconfigurations cause minimal disruption to the involved applications.
Keywordsattribute-based access control policy enforcement policy deployment middleware service-oriented architectures
Unable to display preview. Download preview PDF.
- 1.Beznosov, K.: Object security attributes: Enabling application-specific access control in middleware. In: On the Move to Meaningful Internet Systems - DOA/CoopIS/ODBASE 2002 Confederated International Conferences DOA, CoopIS and ODBASE 2002, London, UK, pp. 693–710. Springer, Heidelberg (2002)CrossRefGoogle Scholar
- 2.Dulay, N., Lupu, E., Sloman, M., Damianou, N.: A policy deployment model for the ponder language. In: IEEE/IFIP International Symposium on Integrated Network Management Proceedings, pp. 529–543 (2001)Google Scholar
- 4.Goovaerts, T., De Win, B., Joosen, W.: Policy Evaluation Contracts. Technical report, Department of Computer Science, Katholieke Universiteit Leuven (2009)Google Scholar
- 5.IBBT. PeCMan project (Personal Content MANagement) (2007), http://projects.ibbt.be/pecman
- 6.Janssens, N., Joosen, W., Verbaeten, P.: Necoman: middleware for safe distributed-service adaptation in programmable networks. IEEE Distributed Systems Online 6(7) (2005)Google Scholar
- 7.McDaniel, P., Prakash, A.: A flexible architecture for security policy enforcement. In: Proceedings of DARPA Information Survivability Conference and Exposition, vol. 2 (2003)Google Scholar
- 8.OASIS. eXtensible Access Control Markup Language (XACML) Version 2.0 (December 2005)Google Scholar
- 9.OSGi Alliance. OSGi Service Platform, Core Specification, Release 4, Version 4.1 (May 2007)Google Scholar
- 10.Ten-Hove, R., Walker, P.: Java Business Integration (JBI) 1.0 Final Release (August 2005)Google Scholar
- 11.Verhanneman, T., Piessens, F., De Win, B., Truyen, E., Joosen, W.: A modular access control service for supporting application-specific policies. IEEE Distributed Systems Online 7 (2006)Google Scholar
- 13.Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: IEEE International Conference on Web Services, pp. 561–569 (2005)Google Scholar