Abstract
Despite an increasing need for considering security requirements in service composition, the incorporation of security requirements into service composition is still a challenge for many reasons: no clear identification of security requirements for composition, absence of notations to express them, difficulty in integrating them into the business processes, complexity of mapping them into security mechanisms, and the complexity inherent to specify and enforce complex security requirements. We identify security requirements for service composition and define notations to express them at different levels of abstraction. We present a novel approach consisting of a methodology, called Sec-MoSC, to incorporate security requirements into service composition, map security requirements into enforceable mechanisms, and support execution. We have implemented this approach in a prototype tool by extending BPMN notation and building on an existing BPMN editor, BPEL engine and Apache Rampart. We showcase an illustrative application of the Sec-MoSC toolset.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Apache Software Foundation (2008), Apache Rampart – Axis2 Security Model, http://ws.apache.org/rampart/ (last visit at May 3, 2009)
Apache Software Foundation. Apache Orchestration Director Engine (ODE), http://ode.apache.org/ (last visit at May 3, 2009)
Basin, D., et al.: Model driven security: From UML models to access control infrastructures, ACM Trans. Software Eng. Methodology 15(1), 39–91 (2006)
Carminati, B., Ferrari, E., Hung, P.C.K.: Security Conscious Web Service Composition. In: Proc. International Conference on Web Services ICWS 2006, pp. 489–496 (2006)
Charfi, A., Mezini, M.: Using aspects for security engineering of Web service compositions. In: Proc. IEEE International Conference on Web Services ICWS 2005, pp. 59–66 (2005)
Chollet, S., Lalanda, P.: Security Specification at Process Level. In: Proc. IEEE International Conference on Services Computing (SCC 2008), pp. 165–172 (2008)
Eclipse Foundation (2008), The BPMN Modeler, http://www.eclipse.org/bpmn
Garcia, D.Z.G., Felgar de Toledo, M.B.: Ontology-Based Security Policies for Supporting the Management of Web Service Business Processes. In: Proc. IEEE International Conference on Semantic Computing, pp. 331–338 (2008)
Han, J., Kowalczyk, R., Khan, K.M.: Security-Oriented Service Composition and Evolution. In: Proc. 13th Asia Pacific Software Engineering Conference APSEC 2006 (2006)
Menzel, M., Homas, I., Meinel, C.: Security Requirements Specification in Service-Oriented Business Process Management. In: Proc. ARES 2009 (2009)
Neubauer, T., Heurix, J.: Defining Secure Business Processes with Respect to Multiple Objectives. In: Proc. ARES 2008, pp. 187–194 (2008)
Neubauer, T., Heurix, J.: Objective Types for the Valuation of Secure Business Processes. In: Proc. Seventh IEEE/ACIS International Conference on Computer and Information Science ICIS 2008, pp. 231–236 (2008)
Ouyang, C., et al.: Translating BPMN to BPEL (2006), http://code.google.com/p/bpmn2bpel/ (last visit: May 10, 2009)
Rodriguez, A., Fernández-Medina, E., Piattini, M.: A BPMN Extension for the Modeling of Security Requirements in Business Processes. IEICE - Trans. Inf. Syst. E90-D(4), 745–752 (2007)
Rosa, N.S.: NFi: An Architecture-based Approach for Treating Non-Functional Properties of Dynamic Distributed Systems, PhD thesis, Centre of Informatics, Federal University of Pernambuco (2001)
Song, H., Sun, Y., Sun, Y., Yin, Y.: Dynamic Weaving of Security Aspects in Service Composition. In: Proc. Second IEEE International Workshop Service-Oriented System Engineering SOSE 2006, pp. 189–196 (2006)
Tong, K.K.L.: Developing Web Services with Apache Axis2, TipTec Development (2008)
Wang, X., Zhang, Y., Shi, H.: Access Control for Human Tasks in Service Oriented Architecture. In: Proc. of ICEBE 2008, pp. 455–460 (2008)
White, S.A.: Introduction to BPMN, Technical report, IBM Corporation (2004)
Phan, T., Han, J., Schneider, J.G., Wilson, K.: Quality-Driven Business Policy Specification and Refinement for Service-Oriented Systems. In: Bouguettaya, A., Krueger, I., Margaria, T. (eds.) ICSOC 2008. LNCS, vol. 5364, pp. 5–21. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Souza, A.R.R. et al. (2009). Incorporating Security Requirements into Service Composition: From Modelling to Execution. In: Baresi, L., Chi, CH., Suzuki, J. (eds) Service-Oriented Computing. ServiceWave ICSOC 2009 2009. Lecture Notes in Computer Science, vol 5900. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-10383-4_27
Download citation
DOI: https://doi.org/10.1007/978-3-642-10383-4_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-10382-7
Online ISBN: 978-3-642-10383-4
eBook Packages: Computer ScienceComputer Science (R0)