Presentation is loading. Please wait.

Presentation is loading. Please wait.

Laboratoire d'InfoRmatique en Image et Systèmes d'information UMR 5205 1 July 2010 2010 Selecting Web Services.

Similar presentations


Presentation on theme: "Laboratoire d'InfoRmatique en Image et Systèmes d'information UMR 5205 1 July 2010 2010 Selecting Web Services."— Presentation transcript:

1 Laboratoire d'InfoRmatique en Image et Systèmes d'information UMR July Selecting Web Services for Choreography Implementation: Compatibility Checking Approach with Access Control Emad Elabd, Emmanuel Coquery, Mohand-Said Hacid Seke- 1-3 July, 2010

2 Agenda: Web Services and Web Services Choreography Business Protocol Compatibility Business Protocols for Choreography BP Product Automata Using ontology The verification process Complexity analysis Related works Conclusion and future work Seke- 1-3 July,

3 Web Services 3 Seke- 1-3 July, 2010 ``A Web service is a software application or component that can be accessed over the internet using a platform/language-neutral data interchange format to invoke the service and supply the response, using a rigorously defined message exchange pattern, and producing a result that is sufficiently well-defined to be processed by a software application. Web service characteristics: Interactions: XML message exchange Protocols: SOAP, HTTP Service Registry Service Provider Service Requestor Service description Web Service Service-oriented architectures (SOA).

4 Web Services cont. 4 Structural Behavioural Tools:WSDL Tools: BPEL, WSCI, BPMN, etc. Seke- 1-3 July, 2010 Service Description Operations, data schemas, binding information and I/O messages format Order of messages exchange(Business protocols)

5 Web Services & Choreography Seke- 1-3 July, WA2 WAn WA3 WA1 WA4 WEB Web Services Designer Collects Implements Complex process Selected Web services Described by Verification Process choreography Can implement process or not

6 Informal definition: Possible message exchange sequences supported by the service. 6 Business Protocol Formal definition : An explicitly time business protocol is a tuple P = (S; s 0 ; T; F) which consists of the following elements: – S is a finite set of states. – s0 S, is the initial state. – T S 2 xM x{+,-}, is a finite set of explicit transition. – This protocol is deterministic. – All states in the automata are accessible and co-accessible. – F S is a set of final states. If F = { } then P is said to be an empty protocol. Formal definition : An explicitly time business protocol is a tuple P = (S; s 0 ; T; F) which consists of the following elements: – S is a finite set of states. – s0 S, is the initial state. – T S 2 xM x{+,-}, is a finite set of explicit transition. – This protocol is deterministic. – All states in the automata are accessible and co-accessible. – F S is a set of final states. If F = { } then P is said to be an empty protocol. Seke- 1-3 July, 2010

7 7 Business Protocol cont. a(-) d(+) e(+) S0S0 S1S1 S2S2 S4S4 S4S4 start Loggedsearching answered Login(+) search(+) answer(-) business protocol of a search engine. p1 p2 State transition protocol of a search engine. Seke- 1-3 July, 2010

8 Compatibility Seke- 1-3 July, Service Consumer Business Protocol specify Described by Service Provider Compatibles? interactions messages

9 Compatibility Seke- 1-3 July, Informal definition. we say that P 1 and P 2 are compatible using their if: All the messages get out from the service can be received from the consumer and vice versa with respecting the annotated constraints ( time and ACP). There are no life or dead lock( accessibility and co- accessibility) Informal definition. we say that P 1 and P 2 are compatible using their if: All the messages get out from the service can be received from the consumer and vice versa with respecting the annotated constraints ( time and ACP). There are no life or dead lock( accessibility and co- accessibility)

10 Compatibility ex. 10 b(+) a(+) d(-) a(-) d(+) c(-) BP1 BP2 Two BP their product automata. S0S0 S5S5 S5S5 S2S2 S1S1 S0S0 S1S1 (S 0, S 0 ) (S 1, S 1 ) S5S5 S5S5 (S 5, S 5 ) BP1 × BP2 S3S3 S4S4 e(+) f(-) S3S3 S4S4 e(-) f(+) (S 3, S 3 ) (S 4, S 4 ) p1 p2 P1 X P2 Seke- 1-3 July, 2010

11 Incompatible ex. 11 b(-) a(+) d(-) a(-) d(+) c(+) BP1 BP2 The two protocols are incompatible S0S0 S5S5 S5S5 S2S2 S1S1 S0S0 S1S1 (S 0, S 0 ) (S 1, S 1 ) S5S5 S5S5 (S 5, S 5 ) BP1 × BP2 S3S3 S4S4 e(+) f(-) S3S3 S4S4 e(-) f(+) (S 3, S 3 ) (S 4, S 4 ) Seke- 1-3 July, 2010

12 Web Services: Access control 12 Development of suitable access control models Traditional access control models are not satisfactory : Conversational nature of Web services. Web service as a set of dependent operations. Approaches to avoid situations where the client cannot progress in the conversation due to the lack of required security requirements. Research directions in access control. ( Development of new access control models (e.g, NIST Standard RBAC model WS-AC1, and conversation-based Web services access control model by Massimo M. et al. Development of policy languages for access control( XACML, WS-Policy and finally to Semantic Web based languages such as Rei and KAoS. Seke- 1-3 July, 2010

13 Compatibility with AC: Seke- 1-3 July, For login: professor credential or student card -For accessing journal papers: professor credential -For access conference papers: professor credential or student card Business protocol of the web service (P1) and a consumer (P2) without assigning the ACP. start Logged ReceivedJournalReq JournalPapers Login(+) getJournalReq(+) conferPapers getconferenceReq(+) ReceivedconfReq getJournalRes(-) getconfRes(-) start LoggedSentRequest GetJournalPaper Login(-) getJournalReq(-) getJournalRes(-) P1 P2

14 Compatibility with AC cont.: Seke- 1-3 July, Business protocol of the web service (P1) and a consumer (P2) after assigning the ACP. start Logged ReceivedJournalReq JournalPapers Login(+), Prof or Student getJournalReq(+),Prof conferPapers getconferenceReq(+) Prof or Student ReceivedconfReq getJournalRes(-) getconfRes(-) start LoggedSentRequest GetJournalPaper Login(-),Student getJournalReq(-) getJournalRes(-) P1 P2

15 Compatibility with AC cont.: 15 M3(-) M1(-),C M2(+) M4(+) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 C:is a credential or a set of credentials. M : refers to the message P1 M3(+,C) M1(+) M2(-) M4(+) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 P2 M3(-),C M1(-),C M2(+) M4(+) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 P1 with cumulative ACP M3(+,C) M1(+) M2(-) M4(+) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 P2 Cumulative Access control policy Seke- 1-3 July, 2010

16 Compatibility with AC cont.: 16 M7(-), zx or yz M1(-),x M3(+) M8(+) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 S5S5 S6S6 S7S7 P1 M2(-) M4(+) M5(-),y M6(+) M7(+), zx or yz M1(+) M3(-) M8(-) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 S5S5 S6S6 S7S7 M2(+) M4(-) M5(+) M6(-) M7(+),xz M1(+) M3(-) M8(-) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 S5S5 S6S6 S7S7 M2(+) M4(-) M5(+) M6(-) P2 P3 Policy Compatible Compatible? Answer :No Seke- 1-3 July, 2010

17 Compatibility with AC cont.: 17 M7(-), zx or yz M1(-),x M3(+) M8(+) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 S5S5 S6S6 S7S7 P1 M2(+) M4(+) M5(-),y M6(+) M7(+), zx M1(+) M3(-) M8(-) S0S0 S1S1 S2S2 S3S3 S4S4 S4S4 P2 Are the two protocol compatibles? by applying the rule of the previous example it seems NO. because in M7 in p2 the policy will not satisfied by the set of credentials of M7 in p1. But they are compatible. Some paths will not be taken during the interaction. Compare the credentials and policy after determining the paths of interaction between the two protocols(product automata) Policy Seke- 1-3 July, 2010

18 Access Control Policy cont.: 18 b(-) a(+), (c1) d(-),c2 a(-), c1 d(+) c(+), P 1 1 =c1, c 1 2 =c1, P 2 2 =0, c 2 1 =c2 BP1 BP2 Two BP assigned with access control policy and their product automata. P 1 1 policy of protocol BP1 in transition 1 C 1 2 set credentials of protocol BP2 in transition 1 S0S0 S5S5 S5S5 S2S2 S1S1 S0S0 S1S1 (S 0, S 0 ) (S 1, S 1 ) S5S5 S5S5 (S 5, S 5 ) BP1 × BP2 S3S3 S4S4 e(+) f(-) S3S3 S4S4 e(-) f(+),c2,c3 (S 3, S 3 ) (S 4, S 4 ) P 4 2 =c2c3, c 4 1 =0 P 3 1 =0, c 3 2 =0 Example of incompatibility C 4 1 =c2 C 3 2 =c1 C 2 1 =c2 C 1 2 =c1 Seke- 1-3 July, 2010

19 Web Service Choreography 19 Web service choreography relates to describing externally observable interactions between web services Choreography == Multi-party Collaboration Partners Sender Reciever Operation Message ACP Credentials Seke- 1-3 July, 2010

20 Business Protocols for Choreography 20 Seke- 1-3 July, 2010

21 Product Automata 21 ((Buyer, start),(Seller, start),(Broker,s tart),(CreditAg ency,start))) ARTICLE SPECIFIA TION SUBMIT (Seller, Broker, SubmitArticleSpec, AritclesubmitReq, ACP=true, C=true) Quote Updating Request- KS (Broker, Seller, QuoteUpdate, QuoteUpdateReq, ACP=true, C=true) ….. Payement Request- Ks Payement Check-Sc (Seller, CreditAgency, checking credit, CreditCheckReq, ACP=Visa Card, C=BNP Visa Card) Payement failure-CS Payement Success-Cs (CreditAgency, Seller, checking credit, Failure, ACP=true, C=true) (CreditAgency, Seller, checking credit, Sucess, ACP=true, C=true) … Article recieved Article Submit (Broker, Buyer, SubmitArticle, Aritclesubmitorder, ACP=true, C=true) Seke- 1-3 July, 2010

22 Access control policy ontology 22 start Logged ReceivedJournalReq JournalPapers Login(+),Prof or Student card getJournalReq(+),Prof conferPapers getconferenceReq(+)Prof orStudent ReceivedconfReq getJournalRes(-) getconfRes(-) start Logged SentRequest GetconfPaper Login(-),school Student getconferenceReq(-) getconfRes(-) P1 P2 Card Student card Professor card University card School card Isa Ontology Seke- 1-3 July, 2010

23 The verification process 23 1.Select the Web services and get its business protocols assigned with the ACP and credentials. 2.Create the product automata between these protocols. 3. Calculate the cumulative ACC on the product automata (as defined on definition 4). 4.Check the compatibility in terms of ACP between these protocols (as defined on definition 6) using algorithm 1 for calculating and checking the ACP on the product automata. 5. If the business protocols are compatible in terms of message exchange and ACP and the product automata presents the same behavior as the choreography then the set of services which have these business protocols can implement this choreography. Otherwise, this choreography cannot be implemented by these ser-vices. Seke- 1-3 July, 2010

24 Complexity analysis 24 Complexity analysis: Let T1 and T2 be the number of transitions of the two protocols P 1 and P 2 respectively, -The construction of the product automata will take (T1 xT1). -The calculation of the cumulative credentials will take number of states in the product automata (S1 x S2) multiplied by the size of the longest non looping path multiplied by (S1 S2) (i.e cumulative credentials takes(S1 x S2) 3 ) -As a result, the complexity for the algorithm will be ((T1 xT1) + (S1 S2) 3 ). Complexity analysis: Let T1 and T2 be the number of transitions of the two protocols P 1 and P 2 respectively, -The construction of the product automata will take (T1 xT1). -The calculation of the cumulative credentials will take number of states in the product automata (S1 x S2) multiplied by the size of the longest non looping path multiplied by (S1 S2) (i.e cumulative credentials takes(S1 x S2) 3 ) -As a result, the complexity for the algorithm will be ((T1 xT1) + (S1 S2) 3 ). Seke- 1-3 July, 2010

25 Conclusion and future work High-level analysis of business protocols used in the web service after explicitly assigning ACP on it. Cumulative access control Policy Compatibility analysis Propose a verification approach to verify the behaviors specified by processes choreographies and the selected web services for implementing these choreographies. In our work, using ontology of ACP is important in determining the relation between the compared policies and credentials. This comparison is needed in checking the compatibility and replaceability. 25 Seke- 1-3 July, 2010

26 Conclusion and future work For future work Generalization approach works with most of message specification attributes (XMLSchema, Access Control Policy, Privacy, Meaning, Response Time, Credentials). Applying our analysis on multi-clock time automata where each transition has its own clock. automatically build adapters allowing set of services to work together even though they are not directly compatible Another extension is to use these tools for web service composition 26 Seke- 1-3 July, 2010


Download ppt "Laboratoire d'InfoRmatique en Image et Systèmes d'information UMR 5205 1 July 2010 2010 Selecting Web Services."

Similar presentations


Ads by Google