Towards Web Service access control

The Internet has revolutionised the capacity to share information and services across organisations. Web Service technology enables organisations to exploit software as a service. Services are accessed by method invocations. Method interfaces are described and published, and may be freely available. Method requests and responses are conveyed in SOAP, which has the ability to pass unhindered through firewalls. Applications that process SOAP requests may be endangered by messages with malicious intent. Protection of methods and resources exposed by SOAP is thus a critical requirement for Web Services to be acceptable to organisations. In Web Service environments, access control is required to cross the borders of security domains, to be implemented between heterogeneous systems. New approaches are required that would address the movement of unknown users across borders so that access to resources can be granted. Specifications have been released to address access control, but are not welt established. In this paper, an analysis of current approaches to Web Service access control is made, which Leads to five requirements to be addressed by future access control solutions. To address such requirements, a logic-based access control approach is defined for 6 Web Service endpoint. The paper does not address the access control Logic that is required when more than one Web Service is used in an integrated business solution. (C) 2004 Elsevier Ltd. All rights reserved.