Section 13.6. Web Services Authorization Model

Previous page
Table of content
Next page


13.6. Web Services Authorization Model

In the Web service security model defined in WS-Authorization, a Web service checks whether an incoming access request with a set of claims (such as name, privilege, capability, and so on) and contextual information (such as current time and so on) is qualified to invoke the target service or to perform the requested operation. If the requester is not qualified, the Web service ignores or rejects the request. A service can indicate its required claims and related information in its policy, as described by WS-Policy and WS-PolicyAttachment specifications. How to request claims in relevance to security tokens from a security token service is described in the WS-Trust specification.

An authorization check is performed by an authorization service, a kind of STS (security token service) defined in WS-Trust. A requester or a Web service can invoke the authorization service with an appropriate set of claims and security tokens. The authorization service retrieves the applicable authorization policies and determines whether the access should be allowed or denied, using an authorization engine. It returns the result of the authorization, either by issuing an authorization token or by returning some messages. The authorization token proves the privileges or capabilities of the holder of the token, but it could cover broader semantics, such as a validation result (valid or invalid) of the authorization token, enumerated rights of the requester, and conditional responses (the access is allowed, provided such-and-such a condition is satisfied). The authorization token is one of the security tokens defined in WSS: SOAP Message Security and relevant specifications. Thus, the mechanism designed for issuing and exchanging security tokens in WS-Trust is reusable in WS-Authorization specification. The model that is adapted from WS-Trust is illustrated in Figure 13-2.

Figure 13-2. The trust model of WS-Trust.


The authorization service returns an error message if the authorization service cannot process the access request correctly. For example, some claims or the security tokens are missing and there is no applicable rule found for the requested service.

The authorization service does not assume any specific authorization engines, authorization policy specification languages, or authorization tokens. The authorization model defines interfaces between an authorization service and a requester, or an authorization service and a Web service.

The security of the Web service authorization model depends on the authorization policy managed by the authorization service.


    Previous page
    Table of content
    Next page
    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[. .. ] More
    Web Services Platform Architecture(c) SOAP, WSDL, WS-Policy, WS-Addressing, WS-BP[. .. ] More
    ISBN: N/A
    EAN: N/A
    Year: 2005
    Pages: 176
    BUY ON AMAZON
    Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
    CISSP Exam Cram 2
    Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
    SQL Hacks
    Junos Cookbook (Cookbooks (OReilly))
    FileMaker 8 Functions and Scripts Desk Reference
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy