Transformation and Aggregation of Web Service Security Requirements

Service-oriented Architectures support the provision, discovery, and usage of services in different application contexts. The Web Service specifications provide a technical foundation to implement this paradigm and provide mechanisms to face the new security challenges raised by SOA. To enable the seamless usage of services, security requirements can be expressed as security policies (e.g. WS-Policy and WS-Security Policy) that enable the negotiation of these requirements between clients and services. However, the concept of policy negotiation has not been applicable in the scope of service compositions so far. Since each orchestrated Web Service in a service composition might demand the provision of specific user information and requires a particular security mechanism, the security policy of a service composition depends on the aggregated requirements of the orchestrated services. Current Web Service frameworks are not capable of resolving such policy dependencies. In this paper we present our solution to enable an automated creation of security policies from orchestrated services. Therefore, we present a policy model that is capable of capturing Web Service security requirements. Based on this model, we introduce an algorithm that performs the aggregation of security requirements stated by the orchestrated services and mappings to transform WS-Security Policy instances and the security model instances into each other.