Access control is the process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied. The access control decision is enforced by a mechanism implementing regulations established by a security policy. Different access control policies can be applied, corresponding to different criteria for defining what should, and what should not, be allowed, and, in some sense, to different definitions of what ensuring security means. In this chapter we investigate the basic concepts behind access control design and enforcement, and point out different security requirements that may need to be taken into consideration. We discuss several access control policies, and models formalizing them, that have been proposed in the literature or that are currently under investigation.

The shift from SGML to XML has created new demands for managing structured documents. Many XML documents will be transient representations for the purpose of data exchange between different types of applications, but there will also be a need for effective means to manage persistent XML data as a database. In this paper we explore requirements for an XML database management system. The purpose of the paper is not to suggest a single type of system covering all necessary features. Instead the purpose is to initiate discussion of the requirements arising from document collections, to offer a context in which to evaluate current and future solutions, and to encourage the development of proper models and systems for XML database management. Our discussion addresses issues arising from data modelling, data definition, and data manipulation.

Business Processes for Web Services are the new paradigm for the lightweight integration of business from different enterprises. Whereas the security and access control policies for basic web services and distributed systems are well studied and almost standardized, there is not yet a comprehensive proposal for an access control architecture for business processes. The major difference is that business process describe complex services that cross organizational boundaries and are provided by entities that sees each other as just partners and nothing else. This calls for a number of differences with traditional aspects of access control architectures such as • credential vs classical user-based access control, • interactive and partner-based vs one-server-gathers-all requests of credentials from clients, • controlled disclosure of information vs all-or-nothing access control decisions, • abducing missing credentials for fulfilling requests vs deducing entailment of valid requests from credentials in formal models, • “source-code ” authorization processes vs data describing policies for communicating policies or for orchestrating the work of authorization servers. Looking at the access control field we find good approximation of most components but not their synthesis into one access control architecture for business processes for web services, which is the contribution of this paper. ∗ This work is partially funded by the IST programme of

With the advance of E-Commerce over Web-based information, the interoperability of isolated XML repositories and databases over the Internet has drawn an increasing interest recently. Little effort, however, has been made to preserve necessary autonomy and security of each individual XML repository or database during information exchange or evolution. Generic model management has been intensively researched and also implemented in a prototype since its first introduction. Security related research is yet to be conducted for model management. This paper presents a uniform security model for access control specifications of heterogeneous data models over the Web. Based on the uniform representation, we present security extensions to our previous work on visual model management operators for managing access control specifications to allow heterogeneous Web data models to exchange information over public networks. 1.

Abstract. The interoperability among different data formats over the Internet has drawn increasing interest recently due to more and more heterogeneous data models are used in different Web services. In order to ease the manipulation of data models for heterogeneous data, generic model management has been intensively researched and also implemented in a prototype since its first introduction. Access control specifications attached to each individual data model require significant amount of efforts to manually specify. Based on a general security model for access control specifications on heterogeneous data models and its visual representation, we present secure model management operators for managing access control specifications.The secure model management operators disccussed in the paper include a secure match operator and a secure merge operator. We introduce a novel graphical schema matching algorithm and extend the algorithm to make a secure match operator. The paper also discusses secure merge principles for the integration of data models. 1

The extensible markup language (XML) is a standard for describing information on the Internet and is quickly becoming the most preferred way to store and exchange information. The need to provide controlled access to such information is imminent. In this paper, we present an access control mechanism for a collection of semantically related XML documents such as a collection of user records in XML for a distributed information system where the existing XML access control mechanisms are not easily applicable. 1.

Middleware influenced the research community in developing a number of systems for controlling access to distributed resources. Nowadays a new paradigm for the lightweight integration of business resources from di#erent partners is starting to take hold -- Web Services and Business Processes for Web Services.

Application-level web security refers to vulnerabilities inherent in the code of a web-application itself (irrespective of the technologies in which it is implemented or the security of the web-server/back-end database on which it is built). In the last few months application-level vulnerabilities have been exploited with serious consequences: hackers have tricked e-commerce sites into shipping goods for no charge, usernames and passwords have been harvested and confidential information (such as addresses and credit-card numbers) has been leaked.

This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and education use, including for instruction at the authors institution and sharing with colleagues. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier’s archiving and manuscript policies are encouraged to visit:

Abstract—A recent trend in home automation are gateways that offer a Web service based Application Programming Interface (API) to access an underlying home automation system. Due to the ease of use and the interoperability of Web services numerous use cases can be found for third party applications using such APIs. Smart homes allow to control nearly every aspect of living within a building, which also imposes great security and privacy concerns. Therefore this paper contributes a generic access control concept for Web service based APIs using the Security Assertion Markup Language and the Extensible Access Control Markup Language. This concept allows a user to securely authorize the access of third party applications to the home automation system in order to protect privacy and to ensure security. The access control concept is generic since no API change is required leaving the service provider and service consumer untouched. Index Terms—Home automation, Web services, access control.