Patent Grant
8977845
The present invention relates to service-oriented computing environments and, more particularly, to techniques for client authentication in such service-oriented computing environments.
Service-oriented Computing (SOC) has emerged as a widely accepted paradigm for building large and complex web applications. Recently, service-oriented architectures have been used to build several Internet based business applications. Web services have become a widely accepted standard-based instantiation of service-oriented computing as a viable platform for integrating scientific as well as business applications that operate in distributed and heterogeneous environments.
As is known, the World Wide Web Consortium (W3C) defines a web service as a software system designed to support interoperable machine to machine interaction over a network. Web services are frequently merely web application programming interfaces (APIs) that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested services. The W3C web service definition encompasses many different systems, but in common usage the term refers to clients and servers that communicate Extensible Markup Language (XML) messages that follow the Simple Object Access Protocol (SOAP) standard.
In this setting, service composition has been heavily used for implementing complex, massively distributed applications that span multiple autonomous organizations. Hence, it becomes very important to be able to control the security properties of such compositions in order to guarantee security in such applications.
The goal of an access control model in a web service application is to answer the following yes or no question: can a principle P invoke a method M on service S? In an application built using service composition it is difficult to define the calling principle P since the request might have propagated along multiple hops (through different principles and services). For instance, consider a supply chain management (SCM) application composed of three entities: customers, a retailer system and a manufacturer system. A retailer system may include a retail manager role and a composition of three services: a retail service, a warehouse service and a database service. In a SCM application, we need to distinguish a retail manager accessing the database service through the retail service and a retail manager accessing the database service through the warehouse service. While the former may have retail manager-like privileges on the database service, the later may have only employee-like privileges.
WS-Security is a communications protocol that provides a mechanism for applying security to web services. More particularly, WS-Security describes enhancements to SOAP messaging to provide message integrity, confidentiality, and single message authentication in a way that can accommodate a wide variety of security models and encryption technologies. WS-Policy provides a general purpose model and a specification language to describe and communicate the policies of a web service. WS-Security Policy, built on the WS-Policy and the WS-Policy Assertion protocols, is a declarative XML format for programming the precise techniques used by web service implementations to construct and check WS-Security headers.
Unfortunately, most of these methodologies treat applications and services as monolithic entities. None of these models treat service composition as a first class entity or provide constructs for specifying security policies for web service compositions. Further, there is no unified methodology for expressing and enforcing access control rules in large and complex web service compositions.
Accordingly, improved access control techniques for use in a service-oriented computing environment are needed.
Principles of the invention provide improved access control techniques for use in a service-oriented computing environment.
For example, in one aspect of the invention, a method for authenticating a client in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. At least one service of the plurality of services is invoked. State information is associated with the at least one service invoked. The state information is used to authenticate a client with at least one service.
In another aspect of the invention, a method for access control in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. A rule specification language is provided. At least one rule is specified using the rule specification language. A verification is performed to determine whether or not the client satisfies the at least one rule. The client is granted access to a service when the client satisfies the at least one rule.
These and other objects, features and advantages of the present invention will become apparent from the following detailed description of illustrative embodiments thereof which is to be read in connection with the accompanying drawings.
As mentioned above, service composition has emerged as a fundamental technique for developing large and complex web applications. Multiple services, often from different organizations (or trust domains), may be dynamically composed to satisfy a request of a user. Such service compositions tend to be recursive and may include several sub-services and partner services. Access control in large service compositions is a very challenging security problem.
Accordingly, the present invention provide an access control model and techniques for specifying and enforcing access control rules on web service compositions. We define the notion of a composite principle to capture temporal, causal and privilege information that we believe are required to enforce access control rules on service compositions. Our definition of a composite principle allows us to inter-operate with organizational role hierarchy and to efficiently specify and enforce scoped separation of duty constraints and scoped roles. We describe a pure-past linear temporal logic (PPLTL) based declarative policy specification language for expressing these access control policies. We illustrate our approach using examples from a supply chain management (SCM) application. We describe an implementation of our proposal on an application overlay network (AON) based implementation of the SCM application.
The remainder of the detailed description is divided as follows.
In Section 1, we study the requirements for access control policies for web service compositions using a supply chain management (SCM) application. We demonstrate that existing access control models do not meet these requirements since they do not explicitly support the notion of service composition.
In Section 2, we handle this shortcoming by defining the notion of a composite principle. A composite principle captures temporal, causal and privilege information that we believe are required to enforce access control rules on service compositions. We use composite principles as first class entities to construct our access control model, that is, we answer the following yes or no question: can a composite principle CP invoke a method M on service S? We use a role based access control (RBAC) model for specifying privilege information and demonstrate that one can easily model complex access control rules based on separation of duty constraints (with scopes), inter-organizational roles (with scopes) using the notion of composite principles.
In Section 3, we describe a formal access control specification language for describing access control policies on service compositions. We describe a pure-past linear temporal logic (PPLTL) based declarative policy specification language for describing access control policies on composite principles. We introduce role monotone checks to ensure that a PPLTL rule respects the organizational role hierarchy. We also represent constraints on inter-organizational web service invocations as PPLTL rules on scoped composite roles and role translation tables. We use dynamic instantiation of PPLTL rules to support scoped separation of duty constraints and scoped roles. We show encodings of some sample access control policies from the supply chain management application.
In Section 4, we describe an implementation of our access control mechanism as a middleware service on an application overlay network (AON) hosting a SCM application. Our implementation is highly modular and allows easy deployment and enforcement of access control policies.
In Section 5, we describe authentication methodologies of the invention and a computer system architecture for implementing such methodologies.
1. Access Control Requirements
In this section we consider several access control requirements for web service compositions with illustrations from the supply chain management (SCM) application.
1.1 Concrete Requirements
As mentioned above, in an application built using service compositions, it is difficult to define the calling principle P since the request might have propagated along multiple hops (through different principles and services). A principle refers to a subject or an automated agent (Web service). However, the calling principle is limited to the set of principles and services that have participated in the call invocation history. The primary requirement here is to maintain minimal and yet sufficient information about the call invocation history such that one can determine the privilege information for a request after multiple service invocations. We define the notion of a composite principle to capture temporal, causal and privilege information that we believe would enable us to capture the required information. Our access control model accepts a composite principle CP and decides whether CP can invoke a method M on service S. We use a RBAC model to encode privilege information into a composite principle.
In addition, we provide a set of new access control features specifically designed for service compositions:
A composite principle (CP) allows us to reason about web service compositions as first class entities. Informally, a composite role includes a temporally ordered sequence of roles and services that are involved in an activity. Similarly, a composite principle includes a temporally order sequence of principles (playing a certain role) and service instances (acting as a certain service) that are involved in an activity. Concretely, a composite role and a composite principle are represented in BNF (Backus-Naur form) as shown below.
CR:=(S|R)+
CP:=(SIas S|P as R)+
Composite roles abstract away the concrete principles (and service instances) that participate in an activity. We capture separation of duty (SoD) constraints on concrete principles using composite principles. Unlike a service invocation based constraint, a SoD constraint encompasses an activity. An activity is modeled as a temporally ordered sequence of service invocations; note that each of these service invocations is in turn associated with a composite principle making that invocation. Hence, an activity A is represented in BNF as:
A:=CP+
Having described basic building blocks, we next present an access control specification language that integrates them with the goal of efficiently meeting the requirements discussed above in Section 1.
3.1 Specification Language
In Section 2, we modeled a composite principle as a temporally ordered sequence of principles or service instances that are responsible for a service invocation. Such temporally ordered structures may be viewed as finite models of linear temporal logic (LTL). In this embodiment of the invention, we specify access control policies using pure-past linear temporal logic based specification language (PPLTL).
The syntax of our access control language is specified by the following BNF for Kripke structures. Note that p is an atomic proposition. The operators X−1 (last time) and S (since) are the past time temporal operators: X−1Ψ is true if and only if Ψ were true in the previous time step and Ψ0SΨ1 is true if and only if Ψ1 was true at some point in the past and Ψ0 has been true at all points in time since Ψ1 evaluated to false.
Ψ:=p|Ψ0vΨ1|Ψ0^Ψ1|Ψ|X−1Ψ|Ψ0SΨ1
Let us for example consider a policy P1:
a) An employee operating through the retail service can approve an order if the order cost is less than c.
b) A retail manager operating through the retail service can approve all orders.
c) A chief manager can approve all orders.
d) A manufacturer M's inventory manager has the same status as that of an employee in the retailer system.
e) A manufacturer M's inventory manager is scoped to operate only those items that are purchased by the retailer system from the manufacturer M.
The administrator encodes this policy into a PPLTL rule Ψ:
Ψ=(Ψ1^Ψ2)vΨ3vΨ4
Ψ1=((F(employee)^X(retailservice)^(ordercost(cost,thr))
Ψ2=(F(employee<M>)→(manufacturer(M)^purchase(itemID,M))))
Ψ3=(F(retailmanager)^X(retailservice))
Ψ4=F(chiefmanager))
3.2 Policy Evaluation and Soundness
Policy Evaluation: Having described an access control specification language, we now consider the computational expenses incurred in verifying the truth or the falsity of an access control rule. The problem of verifying a policy with respect to a composite role (or a sequence of composite principles) is a model checking problem: does CRΨ hold? Model checking requires time complexity of Θ(|CR|*|Ψ|) and space complexity 2*(|Ψ|+1) bits. Note that |CR| denotes the length of the composite role CR and |Ψ| denotes the length PPLTL proposition Ψ.
Performance Enhancement: We provide access control module as a service that accepts a rule Ψ and input CR and verifies whether or not CRΨ. In such a scenario multiple services in an organization (say, retail service, warehouse service in the retailer system) may invoke a common access control service. The access control module is very likely to see queries that share a common composite role (or a sub-sequence of the composite role). Further, when the service invocations are deeply nested or recursive the size of the composite role |CR| can grow arbitrarily large. Fortunately, one can model this problem as a dynamic model checking problem and efficiently solve it as follows: Let us suppose that CR=x1x2 . . . xN
Ψ, then does CR′=x1x2 . . . xNxN+1 . . . xN+N′
Ψ for some N′≧1. We use the model checking algorithm to cache pre-computed results from CR
Ψ. Our dynamic model checking algorithm uses a cache of size 2*(|Ψ|+1) bits (per formula Ψ) and a time complexity of Θ(N′*|Ψ|) (as against a time complexity of Θ((N+N′)*|Ψ|) using the original model checking algorithm). Note that both the cache size and the verification time is independent of N, thereby making this approach feasible even on large and complex service compositions.
Policy Soundness: A policy Ψ is sound if there exists some input string CR that satisfies it. Verifying the soundness of a policy Ψ incurs a computation cost that is exponential in |Ψ|. In practice the size of a PPLTL formula is likely to be small; also, one typically checks the soundness of a policy Ψ during policy deployment outside the application's critical path.
Role Monotone Property: In our access control policy specification language, we represent an organizational role hierarchy using propositional logic as follows: if role R1≧R R2 then, R1R2, where ≧R denotes the domination operator in an organizational role hierarchy; for example, retail manager ≧R employee. We extend the notion of role hierarchy to a role monotone property on PPLTL formulae as follows. For any two composite roles CR1 and CR2 and a PPLTL formula Ψ satisfies the role monotone property if and only if ((CR1≧R CR2)^(CR2
Ψ))
(CR1
Ψ)).
Conservative Macros: The correctness of our soundness and role monotone checks depends on the macros (manufacturer, purchase, etc). For soundness checks, we assume that all macros evaluate to true. For role monotone checks, one can formally show that our check is correctness preserving if a macro is conservative. A macro is said to be conservative if its output is independent of the calling composite principle and the organizational role hierarchy. For example, manufacturer(M) and purchase(itemID, M) are conservative macros since their truth/falsity depends exclusively on M and itemID.
4. Access Control Enforcement
In this section, we describe an implementation of our access control module in an application overlay network (AON) hosting the SCM application. AON strongly advocates the idea of building middleware features as light-weight on-demand services. An application can dynamically discover and use these services as interoperability requirements are determined. A single logical application can itself be partitioned and managed across the network. By way of example,
4.1 Access Control Service
We preferably implement our access control module as a middleware feature that can be hosted as a service by the AON. We intercept incoming service invocations to a Web service at the access control check module on the container hosting the Web service. The access control check module invokes an access control service (possible hosted on an entirely different container and a thin server) to perform the required access control check. If the service invocation passes the access control check then the invocation is forwarded to the relevant business module. The access control service exports an interface as shown below. In the rest of this section, we describe how we obtain the values for each of arguments along with the modifications required to the underlying AON.
Boolean verify(AccessControlRule Ψ, CompositePrinciple CP, MethodSignature Sig, XMLOject input)
Boolean sound(AccessControlRule Ψ)
Boolean roleMonotone(AccessControlRule Ψ)
The policy database is encoded in the service description schema used by AON. We extend the service description schema to include one or more access control rules for every interface. The access control rule itself is a name and rule tuple, where name refers to the name of the operation/method and rule refers to the PPLTL rule that must be satisfied in order for an invocation on method name to be permissible. This framework achieves a clear separation and language independence between the application logic and the access control policy specification. The service description is made available to the container prior to deploying a service on that container.
The composite principle invoking a service is obtained by modifying the service containers in the AON infrastructure. Our implementation requires no changes to the application code. A service container in AON receives a request from a caller, triggers the service to process the request, and handles subsequent nested service invocations or returns to the caller. We instrument the service containers to construct a temporally ordered list of principles involved in a service invocation. This is achieved by using a token and accompanies a service invocation chain. The token is appended by the service container as the request flows through one or more hops on the AON. Hence, the composite principle invoking a service is available in the form of a token to the service container.
The access control service uses the database service to store and access the following pieces of information: a list of principles, a list of organizational roles, the organizational role hierarchy, and a table mapping a principle to its privilege (say, <john, employee> and <dan, retail manager>). The access control service may use database triggers to be notified when new users are added or when a user's privilege is changed.
However, for access control rules that span multiple composite principles (say, SoD constraint), the access control service uses the audit/logging service to obtain the composite principle(s) that have participated in the activity of interest in the past. We have modified the service container to log service invocations along with the scope name and scope ID making it efficient for us to retrieve relevant activity logs from the logging service. The service container infers a scope name from the policies in a service description. The scope ID is obtained from the argument values in the service invocation such that the argument name matches the scope name. The log format for a service invocation is shown below. For example, when a retail service invokes the database service on behalf of an employee to process a customer order, it is logged by the database service as follows: (db as database service) says (emp as employee, rs as retail service) invoked method processOrder on (db as database service) for activity (order}, 1234), where db is a service instance of type database service, order denotes the scope name and 1234 denotes the scope (order) ID. We keep the service invocation log temporally ordered and additionally build an index on (scopeName, scopeID) to allow fast access to relevant log entries.
(P as R|SI as S) says CP invoked method M on (SI as S) for activity (scopeName, scopeID)
The method signature sig contains a WSDL description of the invoked method's signature. The XMLObject input contains method invocation arguments. Coupled with the method signature sig, it enables the access control service to interpret the argument types and values in input. The sig and input parameters are required to support data-driven access control policies. Recall that a WSDL description of the invoked method is available at the container hosting the service since the service deployment stage. In the following sections, we describe how we deploy and enforce access control policies in our system.
4.2 Policy Deployment
We now describe techniques to deploy a new policy into the system. Let us consider a sample access control policy P1 (described in Section 2) and its PPLTL rule Ψ:
We deploy the policy Ψ through the following steps:
1) The administrator checks the soundness and role monotone property of policy Ψ using the access control service.
2) Given a policy Ψ the administrator has to determine policy enforcement points (PEPs). In this case the administrator determines that the policy must be enforced at the processOrder operation by the retailer service and the binding service.
3) The administrator adds a new policy Ψ as an XML component to the PEP's service description. Note that the policy Ψ is stored along with the service description and not at the access control service.
4) The administrator adds a role translation rule to the gateway's policy DB. A role translation rule is a three tuple: the first column contains the organization name and the second column contains a role name in that organization and the third column contains the translated role. In this example a table entry would look like <PG, inventory manager, employee<PG>>, where PG is the manufacturer.
4.3 Policy Enforcement
The deployed access control policies are enforced as follows. When the retailer system's binding service receives a web service invocation on the method processOrder:
1) The binding service performs role translation. The translation is effected by replacing every occurrence of inventory manager in the composite principle with employee<PG>.
2) The binding service forwards the method invocation to the container hosting the retailer service. The service runtime looks up the service description to check if there are any rules associated with the operation processOrder. If so, it invokes the access control service with the following arguments: the composite principle CP, the rule Ψ, and the arguments contained in the call to the processOrder method and a reference to the WSDL description of the processOrder method.
3) If the rule is a scoped rule Ψo (say, a separation of duty constraint) then the model checker dynamically instantiates a rule using the scope identifier from the input argument named o. The model checker parses the rule Ψ (one linear scan) and breaks it down into atomic predicates. For the sample policy in \ref{sample-policy}, the atomic predicates are shown in ,
), temporal operators (F−1, X−), and macros (ordercost, manufacturer, purchase).
4) The access control service caches the required information required for performing dynamic model checking. This cached result is used to enhance the performance of future access control check requests arising primarily due to propagation of a service invocation and recursive service invocations.
5) If the access control service returns true, then the runtime forwards the method invocation to the retailer service; else the method invocation fails.
5. Authentication Methodologies and Computer System Architecture
As shown, methodology 400 includes the following steps. In step 402, at least one service of the plurality of services (204) is invoked. In step 404, state information is associated with the at least one service invoked. The state associated with a service invocation is stored in the form of a composite principles and the audit/logging service (203). In step 406, the state information is used to enforce access control on at least one service invocation. By way of example only, the access control verification step is carried out by the access control service (202) using the policies stored in policy database (208) and the state information stored in the audit/logging service (203).
As shown, methodology 450 includes the following steps. In step 452, a rule specification language is provided. For instance, we use a PPLTL based access control policy specification language (see Section 3.1). In step 454, at least one rule is specified using the rule specification language. An example policy expressed in a PPLTL based policy specification language in shown in
Lastly,
Thus, the computing device shown in
As shown, computing system architecture 500 may include a processor 502, a memory 504, I/O devices 506, and a network interface 508, coupled via a computer bus 510 or alternate connection arrangement.
It is to be appreciated that the term “processor” as used herein is intended to include any processing device, such as, for example, one that includes a CPU and/or other processing circuitry. It is also to be understood that the term “processor” may refer to more than one processing device and that various elements associated with a processing device may be shared by other processing devices.
The term “memory” as used herein is intended to include memory associated with a processor or CPU, such as, for example, RAM, ROM, a fixed memory device (e.g., hard drive), a removable memory device (e.g., diskette), flash memory, etc.
In addition, the phrase “input/output devices” or “I/O devices” as used herein is intended to include, for example, one or more input devices (e.g., keyboard, mouse, etc.) for entering data to the processing unit, and/or one or more output devices (e.g., display, etc.) for presenting results associated with the processing unit.
Still further, the phrase “network interface” as used herein is intended to include, for example, one or more transceivers to permit the computer system to communicate with another computer system via an appropriate communications protocol.
Accordingly, software components including instructions or code for performing the methodologies described herein may be stored in one or more of the associated memory devices (e.g., ROM, fixed or removable memory) and, when ready to be utilized, loaded in part or in whole (e.g., into RAM) and executed by a CPU.
In any case, it is to be appreciated that the techniques of the invention, described herein and shown in the appended figures, may be implemented in various forms of hardware, software, or combinations thereof, e.g., one or more operatively programmed general purpose digital computers with associated memory, implementation-specific integrated circuit(s), functional circuitry, etc. Given the techniques of the invention provided herein, one of ordinary skill in the art will be able to contemplate other implementations of the techniques of the invention.
Although illustrative embodiments of the present invention have been described herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various other changes and modifications may be made by one skilled in the art without departing from the scope or spirit of the invention.
| Number | Name | Date | Kind |
|---|---|---|---|
| 20060021019 | Hinton et al. | Jan 2006 | A1 |
| 20060069717 | Mamou et al. | Mar 2006 | A1 |
| 20080141336 | Haller | Jun 2008 | A1 |
| 20090254392 | Zander | Oct 2009 | A1 |
| Entry |
|---|
| E.G. Sirer et al., “An Access Control Language for Web Services,” SACMAT, Jun. 2002, 8 pages. |
| M. Mecella et al., “Access Control Enforcement for Conversation-Based Web Services,” www2006, May 2006, 10 pages. |
| B. Carminati et al., “Security Conscious Web Service Composition,” IEEE International Conference on Web Services (ICWS), 2006, 8 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20080256357 A1 | Oct 2008 | US |
