Security policy composition for composite services

Abstract

An application based Service-Oriented Architecture (SOA) consists of an assembly of external services and the application is called as a composite service. A composite service could be implemented by other composite services hence the application could have a recursive structure, which is one of the features of SOA application. Securing an SOA application is an important non-functional requirement. However, specifying a security policy of a composite service is not so easy because the policy should keep the consistency with other policies of external services which are invoked in the process. We need the way to assure the consistency of policies, but the concrete way is not developed yet to specify a consistent policy for a composite service. Therefore, this paper proposes a security policy composition mechanism from existing policies of external services. Our contribution is creating a security policy of a composite service automatically based on predicate logic, with support for two approaches of policy composition: bottom-up and top-down. Also, we focus on three kinds of security policies, such as a Data Protection Policy, an Access Control Policy, and a Composite Process Policy, and propose the policy composition rules for each policy. Our mechanism makes it possible to validate the consistency of policies by inference without increasing a developer's workload, even if a composite service has a recursive structure. © 2008 IEEE.