A BPEL-based framework for the enforcement of web services security. (c2012)

Abstract

In this this thesis, we address the problem related to security in a composition of web services, mainly in a BPEL process. This problem emerges due to the monopolization of security at the web service side which causes an enormous overhead when running a process that orchestrates between multiple services. Furthermore, BPEL suffers from a lack of modularity for modeling cross-cutting concerns, thus any changes or modication to the process is a tedious and cumbersome, not to mention the need to deactivate the process throughout the modication phase. Thus, our thesis is dedicated to the introduction of a mutli-layer framework for the enforcement of security for web services. This approach is based on a synergy between XACML (eXtensible Access Control Markup Language) security policies, Aspect-Oriented Programming (AOP) and composition of web services (BPEL). This synergy is achieved through the elaboration of a dedicated language called AspectBPEL. The elaborated AspectBPEL language allows specifying security policies as separate components, namely, aspects. These aspects are weaved systematically in the BPEL (Business Process Execution Language) process for the sake of activating the security policies at runtime on specic join points. In addition, our approach allows specifying the XACML security policies that are used to determine pointcuts in a BPEL process where security is needed. Subsequently, a BPEL ow with the needed security is generated into security AspectBPEL aspects to be weaved in the aforementioned process. The centralization of security at the process level consists on the use of a separate trust authority that adopts an XACML infrastructure. The main contributions of our approach are: (1) Describing dynamic security policies using a standard language XACML, (2) generating automatically the BPEL aspects of the XACML policies, (3) separating the business and security concerns of composite web services, and hence developing them separately (4) allowing the modication of the dynamic security features and web services composition at run time to integrate, remove and/or update security mechanisms, (5) providing modularity for modeling cross-cutting concerns between web services. (6) centralizing and updating the security measurements at the BPEL side and (7) providing a language and a framework that is fully operational and compatible with any BPEL process regardless of the adopted development environment. The feasibility and usability of the proposed framework have been veried using two real life case studies: an Online Purchase System (OPS) and a Flight Reservation System (FS). Finally, experimental results and performance analysis are presented to evaluate the proposed framework.