Abstract:
In this this thesis, we address the problem related to security in a composition of web services, mainly
in a BPEL process. This problem emerges due to the monopolization of security at the web service
side which causes an enormous overhead when running a process that orchestrates between multiple
services. Furthermore, BPEL suffers from a lack of modularity for modeling cross-cutting concerns,
thus any changes or modication to the process is a tedious and cumbersome, not to mention the need
to deactivate the process throughout the modication phase. Thus, our thesis is dedicated to the
introduction of a mutli-layer framework for the enforcement of security for web services. This
approach is based on a synergy between XACML (eXtensible Access Control Markup Language)
security policies, Aspect-Oriented Programming (AOP) and composition of web services (BPEL).
This synergy is achieved through the elaboration of a dedicated language called AspectBPEL. The
elaborated AspectBPEL language allows specifying security policies as separate components, namely,
aspects. These aspects are weaved systematically in the BPEL (Business Process Execution Language)
process for the sake of activating the security policies at runtime on specic join points.
In addition, our approach allows specifying the XACML security policies that are used to determine
pointcuts in a BPEL process where security is needed. Subsequently, a BPEL ow with the needed
security is generated into security AspectBPEL aspects to be weaved in the aforementioned process.
The centralization of security at the process level consists on the use of a separate trust authority that
adopts an XACML infrastructure.
The main contributions of our approach are: (1) Describing dynamic security policies using a standard
language XACML, (2) generating automatically the BPEL aspects of the XACML policies, (3)
separating the business and security concerns of composite web services, and hence developing them
separately (4) allowing the modication of the dynamic security features and web services
composition at run time to integrate, remove and/or update security mechanisms, (5) providing
modularity for modeling cross-cutting concerns between web services. (6) centralizing and updating
the security measurements at the BPEL side and (7) providing a language and a framework that is fully
operational and compatible with any BPEL process regardless of the adopted development
environment.
The feasibility and usability of the proposed framework have been veried using two real life case
studies: an Online Purchase System (OPS) and a Flight Reservation System (FS). Finally,
experimental results and performance analysis are presented to evaluate the proposed framework.