Scalable Authorization Middleware for Service Oriented Architectures

  • Tom Goovaerts
  • Lieven Desmet
  • Wouter Joosen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6542)


The correct deployment and enforcement of expressive attribute-based access control (ABAC) policies in large distributed systems is a significant challenge. The enforcement of such policies requires policy-dependent collaborations between many distributed entities. In existing authorization systems, such collaborations are static and must be configured and verified manually by administrators. This approach does not scale to large and more dynamic application infrastructures in which frequent changes to policies and applications occur. As such, configuration mistakes or application changes might suddenly make policies unenforceable, which typically leads to severe service disruptions.

We present a middleware for distributed authorization. The middleware provides a single administration point that enables the configuration and reconfiguration of application- and policy-dependent interactions between policy enforcement points (PEPs), policy decision points (PDPs) and policy information points (PIPs). Using lifecycle and dependency management, the architecture guarantees that configurations are consistent with respect to deployed policies and applications, and that they remain consistent as reconfigurations occur. Extensive performance evaluation shows that the runtime and configuration overhead of the middleware scale with the size and complexity of the infrastructure and that reconfigurations cause minimal disruption to the involved applications.


attribute-based access control policy enforcement policy deployment middleware service-oriented architectures 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Beznosov, K.: Object security attributes: Enabling application-specific access control in middleware. In: On the Move to Meaningful Internet Systems - DOA/CoopIS/ODBASE 2002 Confederated International Conferences DOA, CoopIS and ODBASE 2002, London, UK, pp. 693–710. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Dulay, N., Lupu, E., Sloman, M., Damianou, N.: A policy deployment model for the ponder language. In: IEEE/IFIP International Symposium on Integrated Network Management Proceedings, pp. 529–543 (2001)Google Scholar
  3. 3.
    Gheorghe, G., Neuhaus, S., Crispo, B.: xESB: An Enterprise Service Bus for Access and Usage Control Policy Enforcement. In: Nishigaki, M., Jøsang, A., Murayama, Y., Marsh, S. (eds.) IFIPTM 2010. LNCS, vol. 321, pp. 63–78. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Goovaerts, T., De Win, B., Joosen, W.: Policy Evaluation Contracts. Technical report, Department of Computer Science, Katholieke Universiteit Leuven (2009)Google Scholar
  5. 5.
    IBBT. PeCMan project (Personal Content MANagement) (2007),
  6. 6.
    Janssens, N., Joosen, W., Verbaeten, P.: Necoman: middleware for safe distributed-service adaptation in programmable networks. IEEE Distributed Systems Online 6(7) (2005)Google Scholar
  7. 7.
    McDaniel, P., Prakash, A.: A flexible architecture for security policy enforcement. In: Proceedings of DARPA Information Survivability Conference and Exposition, vol. 2 (2003)Google Scholar
  8. 8.
    OASIS. eXtensible Access Control Markup Language (XACML) Version 2.0 (December 2005)Google Scholar
  9. 9.
    OSGi Alliance. OSGi Service Platform, Core Specification, Release 4, Version 4.1 (May 2007)Google Scholar
  10. 10.
    Ten-Hove, R., Walker, P.: Java Business Integration (JBI) 1.0 Final Release (August 2005)Google Scholar
  11. 11.
    Verhanneman, T., Piessens, F., De Win, B., Truyen, E., Joosen, W.: A modular access control service for supporting application-specific policies. IEEE Distributed Systems Online 7 (2006)Google Scholar
  12. 12.
    Wei, Q., Ripeanu, M., Beznosov, K.: Authorization using the publish-subscribe model. In: Proceedings of the 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications, Washington, DC, USA, pp. 53–62. IEEE Computer Society, Los Alamitos (2008)CrossRefGoogle Scholar
  13. 13.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: IEEE International Conference on Web Services, pp. 561–569 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Tom Goovaerts
    • 1
  • Lieven Desmet
    • 1
  • Wouter Joosen
    • 1
  1. 1.IBBT-DistrinetKatholieke Universiteit LeuvenLeuvenBelgium

Personalised recommendations