A Survey on Authorization Systems for Web Applications

IOSR Journal of Computer Engineering (IOSR-JCE)
e-ISSN: 2278-0661,p-ISSN: 2278-8727, Volume 17, Issue 3, Ver. 1 (May – Jun. 2015), PP 01-05
www.iosrjournals.org
DOI: 10.9790/0661-17310105 www.iosrjournals.org 1 | Page
A Survey on Authorization Systems for Web Applications
1
Mr. Midhun TP, 2
Mr.Prasanth Kumar PV, 3
Mr. Anoop Jose
1,2,3
(Assistant professor ,Department of CSE ,Vimal Jyothi Engineering College, Chemperi ,Kerala ,India).
Abstract: Web services are the most important point of usage for the modern web architecture. The Service
oriented architecture (SOA) used in web services offers a simple platform for integrating heterogeneous
distributed web applications and service. The distributed and open nature of the present system makes it
vulnerable to security issues such as Web service Description Language (WSDL) spoofing, Middleware
Hijacking, etc. Assuring security for the web services to solve all security flaws is difficult. Authorization is an
important aspect for assuring security. Authorization failure can create much vulnerability for the system
security using web services which are distributed in nature. In this paper a survey of the authorization
techniques for web services based application.
Keywords: web services, authorization, access control in web services, attacks on web services
I. Introduction
The emerging web architecture is mainly composed of distributed and heterogeneous Web Services
(WS). Web services are a reliable way to offer online products and services through internet [1]. Web services
are the platforms for heterogeneous distributed computing requirements. The main design goals for web services
are interoperability, openness and easy usage [2]. Modern web services are follows the service oriented
architecture (SOA) [3]. SOA is completely Extensible Mark-up Language
(XML) oriented. In SOA, model a user can get the details of the services from service directory and by
using this description the user can get a service form web service provider. In SOA [4] the communication
between different services providers are through the Simple Object Access Protocol (SOAP) messages which are
purely XML based. This Common XML based communication model enables the user to communicate between
different platforms freely and independently. [5] Many standards are defined for the smooth functioning of SOA
such as Web Service Description Language (WSDL) for interface description, Universal Directory, Discovery
and Integration (UDDI) for service directory. WS-security ensures many additions to SOAP protocol for
satisfying the necessary security requirements Traditional measures to address the security threats are not
adequate to address the threats related with the modern web services or internet applications. [6] Modern web
services are based on the service oriented architecture. In the case of Service oriented architecture the relation
between users and service providers will be mostly dynamic in nature. Also heterogeneous applications or
services can be integrated together for providing the services. This makes the system more vulnerable to many
security threats.
1.1. Web services and security
Security is a crucial factor of consideration for usage and adoption of Web service technology to the
existing web architecture.[7] Web services provide a mean to find and integrate heterogeneous services through
online, based on a directory service. The distributed and open nature of web services makes the system
vulnerable for many security threats.[8] Like any other secure system the primary security requirements are
integrity, confidentiality and availability. Any attempt to compromise any of these is an attack. Security threats
for the web services can be analyzed based on the known attacks against web services. The web service is
composed of different Layers namely Application layer, Middle ware layer, protocol infrastructure [9].
According to Vorobiev et.al [1]. Attacks against web services can be classified into 5 categories such as
Discovery attacks, Application attacks, Semantics attacks, SOAP attacks and XML attacks. Different well
known attacks against web services are listed below.
 CDATA Field Attacks
 XML based attacks
 Probing attacks
 Oversize Payload
 WS-Addressing Spoofing
 Middleware Hijacking
 Coercive Parsing attacks
 Semantic WS attacks
 BEPL state deviation

XML based attacks uses XML as a career of attack.it includes subclasses including Parsing Attacks,
XML Injection and XPath Injection Attacks.[11]Attacks can be performed by modifying the XML structure
after sending the stream to system (web server) or by sending extremely complicated but legal xml documents to
system to exhaust the resources. Another possiblity of attack is through malicious SOAP requests. Injection
attacks such as SQL injection attacks, XPATH injection attacks can create serious problems with the availability
factor of web services [12]. WSDL is another important point of interest for attackers. [13] WSDL defines all
avaliable services and parameters for the customer and an attacker can easily target this vulnerability. [14]In
Semantic WS, Denial of Service (DoS) attacks can be done if an attacker creates big or very complicated
ontologies or schemas in order to hang a parser. This makes the resources unavailable for the legitimate users.
1.2. Authorization
The purpose of the authorization is to limit the operations of a legitimate user in the system [16].
Authorization verifies the previlages of the user in the system and grants permission for the user to access the
requested service.Many of the security threats related with web services is shown in table 1. There exists
defence mechanisma for the attacks which depends mainly on improving the authorization of the system.
Table 1. Attacks on web services
S.No. Attack Defence Mechanism
1 XML based Authorization
2 XML Injection Schema Validation
3 Coersive Parsing Schema Validation
4 Middleware Hijacking Authorization
5 Semantic WS attcks Schema validation
6 C-Data field attacks Validation
7 State deviation Behavioral analysis
8 WS-flooding
(tranport,oversize
payload,schema poisoning)
-
1.3. Common Authorization models for web services
Common access control models
 Discretionary access control models(DAC)
Discretionary access control system is one of the most popular authorization models used today. This is
based on applying rights on object for the client users by the owner of the object. [17] The main attractive
feature of this model is the flexibility that it offers for the access control. As the user can assign access rights for
the objects polices can be defined into the fine grained level easily.
 Mandatory access control model(MAC)
Main Idea behind this model is that to assign differ security levels for the subjects by a centralized
authority. Owner can‘t change the policies .With mandatory access control model it is not easy to represent the
natural relation between the subjects [18].
 Role-based access control model(RBAC)
In this model of access control it is needed to identify the roles in the system and assign the roles to the
users. This role based access control system simplifies the management overhead. [19] And also it is well suited
with the dynamically changing environments. The mapping can be done either in centralized or non-centralized
manner.eg. Trusted third party.
 Trust-based access control models
Trust based on using the technique of trust negotiation to map globally meaningful statements
regarding a previously [16] unknown client into security tokens that are meaningful to resources deployed in the
Trust service‘s security domain.
 Capability based access control
This model is not a commercially successful model. In this access control model a subject is associated
with a list that describes the objects for which a subject is authorized. This list is called the capability list. Sadhu
et al. [16] describes this model .The possession of a capability allows access to resources. Once a capability is
distributed, it is difficult to revoke it

II. Authorization Models For Web Services
Few proposed authorization frameworks are discussed below. Authorization system varies the way in
which the access control polices can define and the authorization request are performed. Different methods use
different means to transfer the proofs between the subjects.
2.1. Attribute based Access Control
This paper [21] proposes an access control based on three types of attributes named subject attributes,
Resource attributes, Environment attributes. This proposed system consists of a Policy Enhancement Point
(PEP) which accepts the Authorization requests and performs the authorization based on the attribute authorities
and policy authorities. The authorization decision will be made by the Policy Decision Point (PDP). Extended
Access Control Mark-up Language (XACML) is used to support the transfer of decisions between the users and
subjects. A policy store consists of all the policy rules regarding the objects in the system.
2.2. Access Control Enforcement for Web Services by Event-Based Security Token Processing
This is a XACML based Authorization system [22] for authorizing the customer based on the SOAP
and HTTP header parameters. This authorization technique mainly tries for the early detection of the
unauthorized requests based on the signatures <Signature Value> of the different header attributes. A timestamp
is added to SOAP header for the detection and avoidance of replay attacks. This authorization checks the header
early so that the oversized payload attacks can be detected. Security token encloses the user details.
2.3. Web Service Authorization Framework
This framework [23] accepts user based parameters during authorization session. In the service level
the user authorization process will check for the policy or rules, if any rules found in that level the rule will be
checked with the request. Else if rules are not found in the Service level the authorization system will check at
the component level for the rules .If any rules are not found the access will be rejected. A servlet filter is used
for implementing the Authorizing server. This authorizing server performs the parsing of SOAP requests and
checks with the existing rules
2.4. Role based access control using LDAP[24]
This type of access control is useful to large enterprises. With the properties of both the access control
mechanisms the LDAP can be used to implement Role based Access Control. The features of LDAP both user-
pull and server-pull architecture can be used. In user pull architecture the user will pull the roles from the role
server where the roles are assigned to the users. In server –pull architecture the server will pull, the roles from
the role server as needed and the user does not need the access to their roles. With the features of both the access
controls the Light Weight Access Control can be used to implement the RBAC using the server-pull
architecture. Initially the client has to authenticate themselves to the server to get the roles which the server will
take from the role server. The roles are given to the clients which are authenticated with the name, passwords or
the IP address. These roles are later used for the implementation of the Role Based Access Control.
2.5. Interactive Access Control for Web Services
This authorization system[25] consist of a Policy Evaluator which is standard representation of
different policies of different partners, a Policy Orchestrator which defines the partners which are involved in a
web service which is requested, and an authorization server which performs the location and integration of
different policy evaluator. Authorization includes a set of declined credentials and presented credentials.
2.6. Intrusion tolerant Authorization System for internet applications
In this authorization system authorization is done based on Symbolic references [26]. User requests
will be authorized and the proof of authorization will be generated as permissions and capabilities. This can
proofs can be verified in the server for verification. For composite operations also this system is capable of
perform the authorization. The request will authorized by a distributed server for avoiding the single point of
failure. The system uses Asynchronous binary byzantine agreement for avoid the single point of failure
.XACML is used for the delivery of the proof into the server.
2.7. Role based access control for the World Wide Web
Admin Tool for the creation of the users, roles and the permission granting. An end-user interaction
with the RBAC or web start with the creation of RBAC session.[27] At the time of session creation the end user
is assigned with Active Role Set (ARS) and it will determine the operations that the end user can perform. The
role will be existing till the time of session. The users are provided with a subset of assigned roles for the easy
selection of the roles. Since the end-user authentication and the RBAC session are separate operations the web

can work with any authentication mechanism. So RBAC/Web have the advantage of the role based access
control for intranet network and can be combined with the existing system without any server modification.
Comparison of different authorization techniques for web services
Many quality metrics are proposed by the National Institute of Standards and Technology (NIST) [28]
for the assessment of access control systems .Parameters includes steps required for assigning and reassigning
the user capabilities, steps required for assigning and reassigning the object access control entries into the
system, degree to which the system supports the concept of least privilege, Separation of the duty etc. A few
parameters which is depends on the web services are selected to compare the different authorization techniques.
Separation of duty is means the ability for delegating of authorities to others, usually for completing composite
operation. Fine grained level authorization can be used to authorize the objects for composite operations.
Authorization systems can be either static or dynamic. Dynamic authorizations systems can accommodate the
user while the system is running. Steps required for assigning and re-assigning the policies to the system is
another parameter for finding the performance of the system.
Comparison results are tabulated below:
Table 2. Comparison of various authorization Techniques for Web Services
Separat
ion of
Duty
Fine- Grained
Authorization
Nature of the
System*
Performance of
AC#
enforcement
Steps Required
to assign and
reassign
capabilities
Method used
for transferring
capabilities
Can be
integrate with
SOA based
web services
[ 2 1 ] - yes Dynamic - less - yes
[22] no no Dynamic - - Tokens yes
[ 2 4 ] yes yes Dynamic good less XACML yes
[24] yes no static - more - no
[25] - yes static medium - - yes
[26] - yes static more XACML no
[27] yes no static - more - no
*nature of the authorization system specifies whether its is static or dynamic (access control)
#
Access Control
III. Conclusion
Web service is the major architecture used for resource and service identification and usage in recent
times due to its ease of use. With the growth in the web services technology the security threats also increases
for assuring the security of the web services authorization is an important factor. Many security vulnerabilities‘
can be avoided by proper authorization and secure access controlling. Most of the proposed systems are doing
authorization based on the role based model. For an authorization system to be compatible with SOA, the
system should be able to authorize the dynamic arrival of the users. Also the system should be capable of
communicating with SOA based services. Most of the systems do not have the capability to dynamically
authorize the requests.
References
[1]. Vorobiev, A. and Han, J. (2006) ‗Security attack ontology for web services‘, Proceedings of the Second International Conference on
Semantics, Knowledge, and Grid (SKG'06), 2006, pp. 42.
[2]. E. Yuan and J. Tong. Attribute based access control (ABAC): a new access control approach for service oriented architectures.
Ottawa New Challenges for Access Control Workshop, April 2005
[3]. SOA: principles of service design, Thomas Erl, New York: Macmillan ,2008
[4]. Martin Gudgin, Marc Hadley, Noah Mendelsohn, Jean-Jacques Moreau, and Henrik Frystyk Nielsen. SOAP Version 1.2 Part 1:
Messaging Framework. W3C Recommendation,2003.
[5]. M. Naedele, ―Standards for XML and Web services security,‖ IEEE Computer, vol. 36, no. 4, pp. 96–98, Apr. 2003.
[6]. B. Thuraisingham, ―Security standards for the semantic web,‖ ComputStand. Interfaces, vol. 27, no. 3, pp. 257–268, Mar. 2005.
[7]. Schahram Dustdar, Wolfgang Schreiner .A survey on web services composition, International Journal of Web and Grid Services
Volume: 1, Issue: 1, Inderscience (2005)
[8]. Elspeth Wales, Web Services Security, computer fraud & security,1, 2003, 15-17.
[9]. Web Services Architecture Working Group, ―Web Services Architecture Requirements‖, W3C Working DraJ, Aug. 19,
2002[http://www.w3.org/TIU2002/WD-wsa-reqs-2010921
[10]. M. McIntosh and P. Austel, ―XML signature element wrapping attacks and countermeasures,‖ in SWS ‘05:Proceedings of the 2005
workshop on Secure web services. ACM Press, 2005, pp. 20–27.
[11]. M. Jensen, N. Gruschka, and R. Herkenh¨oner, ―A survey of attacks on web services,‖ Computer Science - Research and
Development (CSRD), Springer Berlin/Heidelberg, 2009.
[12]. Y. Kim, W. C. Lau, M. C. Chuah, and J. H. Chao, ―PacketScore: Statistical-based Overload Control againstDistributed Denial-of-
Service Attacks‖, IEEE INFOCOM, March 2004.
[13]. Gruschka N, Luttenberger N, Herkenh• oner R (2006) Event-based SOAP message validation for WSSecurityPolicy Enriched web
services. In: Proceedings of the International Conference on Semantic Web & Web Services.
[14]. Scheafer G (2005) Sabotageangrie auf Kommunikationsstrukturen:Angri_stechniken und Abwehrmanahmen.PIK 28 pp 130-139

[15]. Gruschka N, Luttenberger N, Herkenh• oner R (2006) Event-based SOAP message validation for WSSecurityPolicy Enriched web
services. In: Proceedings of the 2006 International Conference on Semantic Web &Web Services
[16]. Sandhu R. and Sanarati P. ―Access control Principles and practice‖, IEEE Communications, 32(9), 1994.
[17]. osborn, s., sandhu, r., and munawer, q. 2000. Configuring role-based access control to enforce
mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Sec. 3, 2.
[18]. Lindqvist, H.: Mandatory Access Control. Umea University, Department of Computing Science, SE-901 87, Umea, Sweden.(2006)
[19]. J. D. Mo_et and E. C. Lupu. The uses of role hierarchies in access control. In Proceedings of 4th
ACM Workshop on Role-based
Access Control, October 1999.
[20]. V. Hu, D. Ferraiolo, and D. Kuhn. Assessment of Access Control Systems. Technical report, National Institute of Standards and
Technology, September 2006.
[21]. E. Yuan and J. Tong. Attribute based access control (ABAC): a new access control approach for service oriented architectures.
Ottawa New Challenges for Access Control Workshop, April 2005.
[22]. Gruschka N, Herkenh• oner R, Luttenberger N (2007) Access Control Enforcement for Web Services by Event-Based Security
Token Processing. In: Braun T, Carle G,Stiller B (eds) 15. ITG/Gi Fachtagung Kommunikation in Verteilten Systemen (KiVS
2007), pp 371-382
[23]. T. Ziebermayr and S. Probst. Web Service Authorization Framework. In International Conference on Web Services (ICWS), San
Diego, CA, USA, 2004..
[24]. PARK, J. S., AHN, G. -J.,SANDHU, R. S. RBAC on the Web using LDAP. In Proceedings of the 15th IFIP WG 11.3 Working
Conference on Database and Application Security 2008
[25]. KOSHUTANSKI, H. AND MASSACCI, F. Interactive access control for Web Services. In Proceedings of the 19th IFIP
Information Security Conference (SEC‘04), Toulouse, France. Kluwer Press,151–166,2004.
[26]. Y. Deswarte, N. Abghour, V. Nicomette, and D. Powell, ―An intrusion-tolerant authorization scheme for internet applications,‖ in
Proc. IEEE/IFIP Int. Conf. Dependable Systems and Networks (DSN‘2002), Suppl. pp. C.1.1–C.1.6,2002
[27]. V. Hu, D. Ferraiolo, and D. Kuhn. Assessment of Access Control Systems. Technical report, National Institute of Standards and
Technology, September 2006.
[28]. Hu, V., Ferraiolo, D., Kuhn, D.: Assessment of access control systems — NIST interagency report. Technical report, National
Institute of Standards and Technology (2006).

A Survey on Authorization Systems for Web Applications

More Related Content

What's hot (14)

Viewers also liked (6)

Similar to A Survey on Authorization Systems for Web Applications (20)

More from iosrjce (20)

Recently uploaded (20)

A Survey on Authorization Systems for Web Applications