article

XML-based access control languages

Authors:

S. De Capitani di Vimercati,

P. SamaratiAuthors Info & Claims

Information Security Tech. Report, Volume 9, Issue 3

Pages 35 - 46

https://doi.org/10.1016/S1363-4127(04)00030-5

Published: 01 July 2004 Publication History

Abstract

One of the most challenging problems in managing large, distributed, and heterogeneous networked systems is specifying and enforcing security policies regulating interactions between parties and access to services and resources. Recent proposals for specifying and exchanging access control policies adopt XML-based languages. XML appears in fact a natural choice as the basis for the common security-policy language, due to the ease with which its syntax and semantics can be extended and the widespread support that it enjoys from all the main platform and tool vendors. In this chapter, we first investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration in designing an access control language for Internet information systems. We then focus on XML-based access control languages and, in particular, on the eXtensible Access Control Markup Language (XACML), a recent OASIS standardization effort. XACML is designed to express authorization policies in XML against objects that are themselves identified in XML. XACML can represent the functionalities of most policy representation mechanisms.

References

[1]

Agrawal, R., Kiernan, J., Srikant, R. and Xu, Y., . An XPath-based preference language for P3P. In Proc. of the World Wide Web Conference, Budapest, Hungary.

[2]

Ardagna, C. and De Capitani di Vimercati, S., . A comparison of modeling strategies in defining xml-based access control languages. CSSE.

[3]

B. Atkinson and G. Della-Libera et al. Web services security (WS-Security). http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security.asp%, April 2002.

[4]

Bonatti, P. and Samarati, P., . A unified framework for regulating access and information release on the web. Journal of Computer Security. v10 i3. 241-272.

[5]

D. Box et al. Web services policy assertions language (WS-PolicyAssertions) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policyassert%ions.asp, May 2003.

[6]

D. Box et al. Web Services Policy Attachment (WS-PolicyAttachment) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policyattach%ment.asp, May 2003.

[7]

D. Box et al. Web services policy framework (WS-Policy) version 1.1. http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-policy.asp, May 2003.

[8]

Damiani, E., De Capitani di Vimercati, S. and Samarati, P., . Towards security XML web services. In Proc. of the 2002 ACM Workshop on XML Security, Washington, DC, USA.

[9]

De Capitani di Vimercati, S., Paraboschi, S. and Samarati, P., . Access control: Principles and solutions. Software-Practice and -¿- Experience. v33 i5. 397-421.

[10]

Galbraith, B., Hankinson, W., Hiotis, A., Janakiraman, M., Prasad, D. and Trived, R., . Professional Web Services Security. Wrox Press Ltd.

[11]

Jajodia, S., Samarati, P., Sapino, M. and Subrahmanian, V., . Flexible support for multiple access control policies. ACM Transactions on Database Systems. v26 i2. 18-28.

[12]

OASIS eXtensible Access Control Markup Language (XACML) version 1.1. http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specific%ation-1.1.pdf.

[13]

Samarati, P. and De Capitani di Vimercati, S., . Access control: Policies, models, and mechanisms. In R. Focardi and R. Gorrieri, editors, Foundations of Security Analysis and Design, LNCS 2171. Springer-Verlag.

[14]

Sandhu, R., Coyne, E., Feinstein, H. and Youman, C., . Role-based access control models. IEEE Computer. v29 i2. 38-47.

[15]

Security assertion markup language (SAML) v1.0. http://www.oasisopen.org/committees/download.php/3400/oasis-sstc-saml-1.1-pdf-xsd.zip.

[16]

SUN. Introduction to XACML, June 2003. http://sunxacml.sourceforge.net.

[17]

Web services security policy (WS-SecurityPolicy), December 2002. http://www-106.ibm.com/developerworks/library/ws-secpol/.

Cited By

Shields BMolloy O(2018)Creating and enforcing access control policies using description logic techniquesInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2011.0412953:3(253-278)Online publication date: 13-Dec-2018
https://dl.acm.org/doi/10.1504/IJITST.2011.041295
Fatima AGhazi YShibli MAbassi A(2016)Towards Attribute-Centric Access ControlSecurity and Communication Networks10.1002/sec.15209:16(3152-3166)Online publication date: 10-Nov-2016
https://dl.acm.org/doi/10.1002/sec.1520

XML-based access control languages

Recommendations

Using schemas to simplify access control for XML documents
ICDCIT'04: Proceedings of the First international conference on Distributed Computing and Internet Technology

Organizations are increasingly using the the eXtensible Markup Language (XML) for document representation and exchange on the Web To protect an XML document from unauthorized access, authorizations are specified on the XML document itself or on the ...
XML-based XML schema access
WWW '07: Proceedings of the 16th international conference on World Wide Web

XML Schema's abstract data model consists of components, which are the structures that eventually define a schema as a whole. XML Schema's XML syntax, on the other hand, is not a direct representation of the schema components, and it proves to be ...
XML access control using static analysis

Access control policies for XML typically use regular path expressions such as XPath for specifying the objects for access-control policies. However such access-control policies are burdens to the query engines for XML documents. To relieve this burden, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Information Security Tech. Report

Information Security Tech. Report Volume 9, Issue 3

July, 2004

72 pages

ISSN:1363-4127

Issue’s Table of Contents

Copyright © Elsevier Ltd © 2004.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 July 2004

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
1
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shields BMolloy O(2018)Creating and enforcing access control policies using description logic techniquesInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2011.0412953:3(253-278)Online publication date: 13-Dec-2018
https://dl.acm.org/doi/10.1504/IJITST.2011.041295
Fatima AGhazi YShibli MAbassi A(2016)Towards Attribute-Centric Access ControlSecurity and Communication Networks10.1002/sec.15209:16(3152-3166)Online publication date: 10-Nov-2016
https://dl.acm.org/doi/10.1002/sec.1520

View Options

View options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents