A comparison of modeling strategies in defining XML-based access control languages

One of the most important features of XML-based Web services is that they can be easily accessed over the Internet, but this makes them vulnerable to a series of security threats. What makes security for web services so challenging is their distributed and heterogeneous nature. Access control policy specification for controlling access to Web services is then becoming an emergent research area due to the rapid development of Web services in modern economy. Two relevant access control languages using XML are WS-Policy and XACML. The main conceptual difference between these two languages is that while XACML is based on a well-defined model that provides a formal representation of the access control security policy and its working, WS-Policy has been developed without taking into consideration this modeling phase. In this paper, we critique WS-Policy pointing out some of its shortcomings. We then describe the architecture we implemented and that offers an interface for controlling access to Web services.