Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Regulating the Synchronous Interaction of Web-Services Constantin Serban Department of Computer Science Rutgers University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Regulating the Synchronous Interaction of Web-Services Constantin Serban Department of Computer Science Rutgers University."— Presentation transcript:

1 1 Regulating the Synchronous Interaction of Web-Services Constantin Serban Department of Computer Science Rutgers University

2 2 Outline Enterprise-wide access control : motivation Current approaches and LGI-based solution Regulating synchronous communication –Controlling the request arguments –Controlling the answer Conclusions

3 3 Enterprise-wide access control Enterprises increasingly rely on heterogeneous collections of web services –Each WS may have its own server-centric policy Question: how does one establish a communal, enterprise wide policy? –How to ensure that this policy is complied with

4 4 Enterprise wide access control Enterprise policy WS

5 5 Communal AC –a Case Study Consider a healthcare system composed of multiple heterogeneous services maintaining patient records. An example of a communal AC policy: –Doctors can access patient records, in full. –Researchers can access specified parts of the records, and they have to pay for it, in proportion to the volume of data received. –All accesses to patient records are to be monitored. Such a policy has to be specified at the enterprise level, and complied with by all WS and their users

6 6 Server-Centric AC Client Server Access Control Request Response

7 7 Server-Centric AC Client Server Access Control Request Response Each server has its own AC policy The enforcement of the policy is at the discretion of the server

8 8 Communal AC (XACML & Others) Client Server PEP Request Response PDP: Policy Decision Point PEP: Policy Enforcement Point PDP P

9 9 Communal AC (XACML & Others) Client Server PEP Request Response PDP: Policy Decision Point PEP: Policy Enforcement Point PDP P The policy can be enterprise wide But the enforcement is still at the discretion of the server Moreover, it is application-dependent

10 10 Communal AC via central Reference Monitor (RM) Client Server Request Response RM P Carries enterprise-wide policy Access control is mandatory

11 11 Communal AC via central RM Client Server Request Response RM P Client Server Not scalable, and potential bottleneck

12 12 Communal AC via LGI Client Server Req Resp Controller PP

13 13 Communal AC via LGI Client Server Req Resp Controller Both controllers carry the same policy Access control is mandatory, stateful, fine-grained PP

14 14 Types of communication in WS Regulation of message exchange using LGI (previous presentation) Significant portion of WS traffic is synchronous (SOAP-RPC) Regulation of synchronous communication has several peculiar aspects

15 15 Outline Enterprise-wide access control : motivation Current approaches and LGI-based solution Regulating synchronous communication –Controlling the request arguments –Controlling the answer Conclusions

16 16 Regulating synchronous communication Control both the request and the response Regulate both at the client side and at the server side—maintaining state in both Sensitive to: –Request arguments – Return value –State, of both client and server; state of the communication between the request and the response Impose constraints on the communication protocol: time-outs, load balancing, etc

17 17 Control over the request Purpose –Specify under what condition a client can make a certain request to a service –different than what client can access the service Access control based on: –Source and target of the request, their state, the request and its parameters

18 18 Control over the response Control information might be available only at the time of the response The state of both the client and the server are best updated based on response data For other purposes: auditing, accounting, etc.

19 19 Response control : Example 1 A healthcare system provides a generic service to access a patient’s record. Clients can be both doctors and researchers Doctors can access each record in full, researches can access some of the information within a record Access control scheme can blackout the sensitive data in a record after the service responds.

20 20 Response Example 1(cont’d) Client getRecord(id#) recordAns ssn name diagnostic medication recordAns ------- diagnostic medication Controller Server PP

21 21 Response control : Example 2 Researchers pay only if a request is satisfied, and in proportion to the volume of the data received Update the state (token, others…) of the researcher only if the request was successful Increase/decrease the reputation of the server The answer itself determines the change in the state of (either, both) server/client

22 22 Response Example 2(cont’d) Client Controller Server getRecord(id#) recordAns updateReputationdecreaseBudget PP

23 23 Implementation RRMI – Regulated RMI : source level RMI compatible –Full stub/skeleton generation –RRMI Registry fully implemented with LGI control –Policies written in Java in a simple, concise form. –Good performance : overhead in the order of few hundreds of micro-s/method call –Part of a subsequent release of the Moses platform Work in progress: move the protocol to SOAP

24 24 Summary WS are required to comply to enterprise- wide policies –Several approaches in access control –LGI control model for WS Synchronous interaction of WS –Stateful and fine grained control –Control over the reply in synchronous interaction

Download ppt "1 Regulating the Synchronous Interaction of Web-Services Constantin Serban Department of Computer Science Rutgers University."

Similar presentations

The Replica Location Service In wide area computing systems, it is often desirable to create copies (replicas) of data objects. Replication can be used.

The Replica Location Service In wide area computing systems, it is often desirable to create copies (replicas) of data objects. Replication can be used.
Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech

Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech
Agent agent 2002 6 4. Outline of Presentation Introduction: Inter-Agent Message Passing ARP: Design and Analysis Generalization: A Generic Framework Conclusion.

Agent agent Outline of Presentation Introduction: Inter-Agent Message Passing ARP: Design and Analysis Generalization: A Generic Framework Conclusion.
Functional requirements for non- repudiation in eHealth domain For potential eHealth dispute resolution we need the following (among possible other data):

Functional requirements for non- repudiation in eHealth domain For potential eHealth dispute resolution we need the following (among possible other data):
Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,

Enterprise -> Cloud Outline –Enterprises have many apps outside their control public cloud; business partner applications –Using standards-based SSO (SAML,
Presented by Kennedy Subramoney Specification – Project Leader Resources & Strategy (A Division of Eskom) CR&D Department XMLVend (Online Vending Specification)

Presented by Kennedy Subramoney Specification – Project Leader Resources & Strategy (A Division of Eskom) CR&D Department XMLVend (Online Vending Specification)
Distributed Logging in Java with Constrained Resource Usage Sunil Brown Varghese, Daniel Andresen Dept. of Computing and Information Sciences Kansas State.

Distributed Logging in Java with Constrained Resource Usage Sunil Brown Varghese, Daniel Andresen Dept. of Computing and Information Sciences Kansas State.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Emery Berger University of Massachusetts Amherst Operating Systems CMPSCI 377 Lecture.
Copyright © 2001 Qusay H. Mahmoud RMI – Remote Method Invocation Introduction What is RMI? RMI System Architecture How does RMI work? Distributed Garbage.

Copyright © 2001 Qusay H. Mahmoud RMI – Remote Method Invocation Introduction What is RMI? RMI System Architecture How does RMI work? Distributed Garbage.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
A Successful RHIO Implementation

A Successful RHIO Implementation
1 Towards Decentralized and Secure Electronic Marketplace Yingying Chen, Naftaly Minsky, Constantin Serban, and Wenxuan Zhang Dept of Computer Science.

1 Towards Decentralized and Secure Electronic Marketplace Yingying Chen, Naftaly Minsky, Constantin Serban, and Wenxuan Zhang Dept of Computer Science.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.

Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
8.

8.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Adding Organizations and Roles as Primitives to the JADE Framework NORMAS’08 Normative Multi Agent Systems, Matteo Baldoni 1, Valerio Genovese 1, Roberto.

Adding Organizations and Roles as Primitives to the JADE Framework NORMAS’08 Normative Multi Agent Systems, Matteo Baldoni 1, Valerio Genovese 1, Roberto.
Flexible Regulation of Virtual Enterprises Naftaly Minsky Rutgers University Joint work with Xuhui Ao.

Flexible Regulation of Virtual Enterprises Naftaly Minsky Rutgers University Joint work with Xuhui Ao.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Similar presentations

Ads by Google