1 / 26

Emad Elabd , Emmanuel Coquery, Mohand-Said Hacid

Selecting Web Services for Choreography Implementation: Compatibility Checking Approach with Access Control. Emad Elabd , Emmanuel Coquery, Mohand-Said Hacid. Seke- 1-3 July, 2010. Agenda:. Web Services and Web Services Choreography Business Protocol Compatibility

qamra
Download Presentation

Emad Elabd , Emmanuel Coquery, Mohand-Said Hacid

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Selecting Web Services for Choreography Implementation: Compatibility Checking Approach with Access Control Emad Elabd , Emmanuel Coquery, Mohand-Said Hacid 1 July 2010 Seke- 1-3 July, 2010

  2. Agenda: • Web Services and Web Services Choreography • BusinessProtocol • Compatibility • Business Protocols for Choreography • BP Product Automata • Using ontology • The verification process • Complexity analysis • Related works • Conclusion and future work Seke- 1-3 July, 2010

  3. Web Services ``A Web service is a software application or component that can be accessed over the internet using a platform/language-neutral data interchange format to invoke the service and supply the response, using a rigorously defined message exchange pattern, and producing a result that is sufficiently well-defined to be processed by a software application. ’’ • Web service characteristics: • Interactions: XML message exchange • Protocols: SOAP, HTTP Service description Service Registry Service Provider Service Requestor Web Service Service-oriented architectures (SOA). Seke- 1-3 July, 2010

  4. Web Services cont. Service Description Structural Behavioural Operations, data schemas, binding information and I/O messages format Order of messages exchange(Business protocols) Tools: BPEL, WSCI, BPMN, etc. Tools:WSDL Seke- 1-3 July, 2010

  5. Web Services & Choreography Process choreography Described by Complex process Selected Web services Implements Verification WA2 Can implement process or not WA1 WA3 WEB ... WAn Designer WA4 Collects Web Services Seke- 1-3 July, 2010

  6. Business Protocol Informal definition: Possible message exchange sequences supported by the service. Formal definition :An explicitly time business protocol is a tuple P = (S; s0; T; F) which consists of the following elements: – S is a finite set of states. – s0 ∈S, is the initial state. – T ⊆ S2xM x{+,-} , is a finite set of explicit transition. – This protocol is deterministic. – All states in the automata are accessible and co-accessible. – F ⊆ S is a set of final states. If F = {∅} then P is said to be an empty protocol. Seke- 1-3 July, 2010

  7. Business Protocol cont. p1 d(+) a(-) e(+) search(+) Login(+) search(+) answer(-) start Logged searching answered • business protocol of a search engine. p2 S4 S1 S2 S0 • State transition protocol of a search engine. Seke- 1-3 July, 2010

  8. Compatibility ServiceConsumer Service Provider interactions messages messages Described by Described by specify specify Compatibles? Business Protocol Business Protocol Seke- 1-3 July, 2010

  9. Compatibility • Informal definition. we say that P1 and P2 are compatible using their if: • All the messages get out from the service can be received from the consumer and vice versa with respecting the annotated constraints ( time and ACP). • There are no life or dead lock( accessibility and co- accessibility) Seke- 1-3 July, 2010

  10. Compatibility ex. e(+) f(-) S5 S4 S3 S0 S1 BP1 c(-) p1 S2 p2 f(+) e(-) S’0 S’1 S’3 S’5 S’4 BP2 d(-) a(-) a(+) P1 X P2 d(+) BP1 × BP2 (S0,S’0) (S1,S’1) (S3,S’3) (S5,S’5) (S4,S’4) b(+) Two BP their product automata. Seke- 1-3 July, 2010

  11. Incompatible ex. e(+) f(-) S5 S4 S3 S0 S1 BP1 c(+) S2 f(+) e(-) S’0 S’1 S’5 S’3 S’4 BP2 d(-) a(-) a(+) d(+) BP1 × BP2 (S0,S’0) (S1,S’1) (S3,S’3) (S5,S’5) (S4,S’4) b(-) The two protocols are incompatible Seke- 1-3 July, 2010

  12. Web Services: Access control • Development of suitable access control models • Traditional access control models are not satisfactory : • Conversational nature of Web services. • Web service as a set of dependent operations. • Approaches to avoid situations where the client cannot progress in the conversation due to the lack of required security requirements. • Research directions in access control. ( • Development of new access control models (e.g, NIST Standard RBAC model WS-AC1, and conversation-based Web services access control model by Massimo M. et al. • Development of policy languages for access control( XACML , WS-Policy and finally to Semantic Web based languages such as Rei and KAoS. Seke- 1-3 July, 2010

  13. Compatibility with AC: - For login: professor credential or student card -For accessing journal papers: professor credential -For access conference papers:professor credential or student card JournalPapers P1 ReceivedJournalReq getJournalRes(-) getJournalReq(+) Login(+) start Logged getconferenceReq(+) getconfRes(-) conferPapers ReceivedconfReq P2 getJournalReq(-) Login(-) getJournalRes(-) GetJournalPaper start Logged SentRequest Business protocol of the web service (P1) and a consumer (P2) without assigning the ACP. Seke- 1-3 July, 2010

  14. Compatibility with AC cont.: JournalPapers P1 ReceivedJournalReq getJournalRes(-) getJournalReq(+),Prof Login(+), Prof or Student start Logged getconferenceReq(+) Prof or Student conferPapers ReceivedconfReq getconfRes(-) P2 Login(-) ,Student getJournalReq(-) getJournalRes(-) GetJournalPaper start Logged SentRequest Business protocol of the web service (P1) and a consumer (P2) after assigning the ACP. Seke- 1-3 July, 2010

  15. Compatibility with AC cont.: Cumulative Access control policy C:is a credential or a set of credentials. M : refers to the message P1 M1(-),C M3(-) M2(+) M4(+) S4 S2 S3 S0 S1 P2 M1(+) M2(-) M3(+,C) M4(+) S’4 S’2 S’3 S’0 S’1 P1 with cumulative ACP M3(-),C M1(-),C M2(+) M4(+) S4 S2 S3 S0 S1 P2 M1(+) M2(-) M3(+,C) M4(+) S’4 S’2 S’3 S’0 S’1 Seke- 1-3 July, 2010

  16. Compatibility with AC cont.: P1 M3(+) M8(+) M7(-), zx or yz M1(-),x S4 S0 S1 S2 S3 M6(+) M2(-) M4(+) M5(-),y S5 S6 S7 Policy Compatible P2 M3(-) M8(-) M7(+), zx or yz M1(+) S4 S0 S1 S2 S3 M6(-) Compatible? M2(+) M4(-) M5(+) S5 S6 S7 Answer :No P3 M3(-) M8(-) M7(+),xz M1(+) S4 S0 S1 S2 S3 M6(-) M2(+) M4(-) M5(+) S5 S6 S7 Seke- 1-3 July, 2010

  17. Compatibility with AC cont.: P1 M3(+) M8(+) M7(-), zx or yz M1(-),x S4 S0 S1 S2 S3 M6(+) M2(+) M4(+) M5(-),y S5 S6 S7 Policy P2 M3(-) M8(-) M7(+), zx M1(+) S4 S0 S1 S2 S3 • Are the two protocol compatibles? • by applying the rule of the previous example it seems NO. because in M7 in p2 the policy will not satisfied by the set of credentials of M7 in p1. • But they are compatible. • Some paths will not be taken during the interaction. • Compare the credentials and policy after determining the paths of interaction between the two protocols(product automata) Seke- 1-3 July, 2010 17

  18. Access Control Policy cont.: BP1 e(+) f(-) S5 S4 S3 S0 S1 c(+) Example of incompatibility S2 BP2 , P22 =0, c21=c2 , P11 =c1, c12 =c1 e(-) f(+),c2,c3 S’0 S’1 S’5 S’3 S’4 d(-),c2 a(-), c1 a(+), (c1) d(+) BP1 × BP2 P31 =0, c32 =0 P42 =c2c3, c41 =0 b(-) (S0,S’0) (S1,S’1) (S3,S’3) (S5,S’5) (S4,S’4) C41 =c2 C21 =c2 C12 =c1 C32 =c1 • Two BP assigned with access control policy and their product automata. • P11policy of protocol BP1 in transition 1 • C12set credentials of protocol BP2 in transition 1 Seke- 1-3 July, 2010

  19. Web Service Choreography • Web service choreography relates to describing externally observable interactions between web services • Choreography == Multi-party Collaboration Message Partners Sender ACP Reciever Credentials Operation Seke- 1-3 July, 2010

  20. Business Protocols for Choreography Seke- 1-3 July, 2010

  21. Product Automata (Broker, Seller, QuoteUpdate, QuoteUpdateReq, ACP=true, C=true) ARTICLE SPECIFIATION SUBMIT Quote Updating Request-KS (Seller, Broker, SubmitArticleSpec, AritclesubmitReq, ACP=true, C=true) ((Buyer, start),(Seller, start),(Broker,start),(CreditAgency,start))) ….. (Seller, CreditAgency, checking credit, CreditCheckReq, ACP=Visa Card, C=BNP Visa Card) (Broker, Buyer , SubmitArticle, Aritclesubmitorder, ACP=true, C=true) (CreditAgency, Seller, checking credit, Sucess, ACP=true, C=true) Payement Request-Ks Payement Check-Sc Article Submit Articlerecieved Payement Success-Cs … (CreditAgency, Seller, checking credit, Failure, ACP=true, C=true) Payement failure-CS Seke- 1-3 July, 2010

  22. Access control policy ontology JournalPapers Card Ontology getJournalRes(-) ReceivedJournalReq Isa Isa getJournalReq(+),Prof P1 Login(+),Prof or Student card Student card Professor card start Logged getconferenceReq(+)Prof orStudent Isa Isa ReceivedconfReq getconfRes(-) School card University card conferPapers P2 Login(-) ,school Student getconferenceReq(-) getconfRes(-) start Logged GetconfPaper SentRequest Seke- 1-3 July, 2010

  23. The verification process • Select the Web services and get its business protocols assigned with the ACP and credentials. • Create the product automata between these protocols. • Calculate the cumulative ACC on the product automata (as defined on definition 4). • Check the compatibility in terms of ACP between these protocols (as defined on definition 6) using algorithm 1 for calculating and checking the ACP on the product automata. • If the business protocols are compatible in terms of message exchange and ACP and the product automata presents the same behavior as the choreography then the set of services which have these business protocols can implement this choreography. Otherwise, this choreography cannot be implemented by these ser-vices. Seke- 1-3 July, 2010 23

  24. Complexity analysis • Complexity analysis: Let T1 and T2 be the number of transitions of the two protocols P1 and P2 respectively, • The construction of the product automata will take (T1 xT1). • The calculation of the cumulative credentials will take number of states in the product automata (S1 x S2) multiplied by the size of the longest non looping path multiplied by (S1 S2) (i.e cumulative credentials takes(S1 x S2)3) • -As a result, the complexity for the algorithm will be ((T1 xT1) + (S1 S2)3). Seke- 1-3 July, 2010

  25. Conclusion and future work • High-level analysis of business protocols used in the web service after explicitly assigning ACP on it . • Cumulative access control Policy • Compatibility analysis • Propose a verification approach to verify the behaviors specified by processes choreographies and the selected web services for implementing these choreographies. • In our work, using ontology of ACP is important in determining the relation between the compared policies and credentials . This comparison is needed in checking the compatibility and replaceability. Seke- 1-3 July, 2010

  26. Conclusion and future work • For future work • Generalization approach works with most of message specification attributes (XMLSchema, Access Control Policy, Privacy, Meaning, Response Time, Credentials). • Applying our analysis on multi-clock time automata where each transition has its own clock. • automatically build adapters allowing set of services to work together even though they are not directly compatible • Another extension is to use these tools for web service composition Seke- 1-3 July, 2010

More Related