面向Web服务的基于属性的访问控制研究

Web服务是一种新的面向服务的计算模式，由于其异构性、多域性和高度动态性，它提出了独特的安全挑战。一个关键的安全挑战就是要设计有效的访问控制机制。但目前存在的访问控制机制大多是基于身份的，存在严重的管理规模和控制粒度问题。本文提出利用基于属性的访问控制（Attribute-Based Access Control，ABAC）机制来处理Web服务的访问控制问题。ABAC采用相关实体的属性进行授权决策，能解决管理规模问题，并提供细粒度的控制。另外，文中对ABAC进行了建模，讨论了其应用，最后还给出了一种实施框架。

Study on Attribute-Based Access Control for Web Services

Web service is a new service-oriented computing paradigm which poses the unique Security challenges due to its inherent heterogeneity,multidomain characteristic and highly dynamic nature.A key challenge in Web services se- curity is the design of effective access control schemes.However,the most of current access control systems is based authorization decisions on subject identity,occrues serious administrative sealability and control granularity problems. In this paper,an attribute-based access control (ABAC) model is presented to address these issues.ABAC grants ac- cesses to services based on the attributes possessed by related entities,and can provide administratively scalable alterna- tive to identity-based authorization methods and provide fine-grained access control for Web services.Moreover,we de- velop a pattern for ABAC,discuss its application issues,and also describe the implementation architecture for the sys- tem in the end.