New approach for the dynamic enforcement of Web services security

Abstract

We propose in this paper a new approach for the dynamic enforcement of Web services security, which is based on a synergy between Aspect-Oriented Programming (AOP) and composition of Web services. Security policies are specified as aspects. The elaborated aspects are then weaved (integrated) in the Business Process Execution Language (BPEL) process at runtime. The main contributions of our approach are threefold: (1) separating the business and security concerns of composite Web services, and hence developing them separately (2) allowing the modification of the Web service composition at run time and (3) providing modularity for modeling cross-cutting concerns between Web services. We demonstrate the feasibility of our approach by developing a Flight System (FS) that is composed of several Web services. First, a RBAC (Role Based Access Control) model for the flight system, which we called RBAC-FS, is elaborated. Afterwards, the Web services that implement the security features are developed. Finally, the BPEL aspects that integrate the security functionalities dynamically into the BPEL process are created. The devised aspects realize the elaborated RBAC-FS model and provide authentication and access control features to the flight system. Case studies and experimental results are also presented to defend our propositions.