Home arrow Security arrow Page 8 - Trust, Access Control, and Rights for Web Services, Part 2

XrML Use Case Example - Security

Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).

  1. Trust, Access Control, and Rights for Web Services, Part 2
  2. The XKMS Services
  3. X-KRSS
  4. eXtensible Access Control Markup Language (XACML) Specification
  5. The XACML Data Model
  6. XACML Policy Example
  7. eXtensible Rights Markup Language (XrML) Management Specification
  8. XrML Use Case Example
  9. Summary
By: Sams Publishing
Rating: starstarstarstarstar / 6
October 12, 2004

print this article



The following use case illustrates how to use XrML in a service-centric business model, which focuses on specifying Rights, Conditions, and metadata for services, such as Web services. In this use case, Alice pays $2 each time she uses a Web service to receive stock quotes. Figure 9.11 illustrates this use case.

Trust, Access Control, and Rights for Web Services

Figure 9.11  Alice may use the content from a Stock Quote
Web service if she pays $2 for such use.

To specify this information in XrML, you need to

  1. Identify Alice as the person to whom the Rights are granted.

  2. Specify the Right that Alice is granted—the right to use the stock service.

  3. Identify the Resource (the Web service) to which Alice is being granted rights.

  4. Specify the Condition (the fee) that applies when Alice exercises her right to use the stock service.

Figure 9.12 illustrates the structure of Alice's license.

Trust, Access Control, and Rights for Web Services

Figure 9.12  The XrML license for Alice's use case.

The license in Listing 9.12 illustrates how Alice's right to use a stock quote service subject to a fee could be expressed in XrML. In this example, the prefix sx: identifies elements from the standard extension. The prefix service: identifies elements from the sample service extension. The prefix stocks: refers to the WSDL definition namespace. The prefix dsig: refers to the namespace that defines XML signatures. All other elements are defined in the XrML core.

Listing 9.12 XrML Specifying Alice's Rights to Use a Fee-Based Stock Quote Service


<!- -
 Alice is represented as the holder of a particular key
 - ->
  <keyHolder licensePartId="Alice">

<!- -
 Alice is granted the right to use the stock quote service
 - ->

<!- -
 The stock quote service is represented with a service reference that contains
  a WSDL file
 - ->
      <wsdl:definitions name="StockQuote" targetNamespace="http://
        <xsd:schema targetNamespace="
         <xsd:element name="TradePriceRequest">
            <xsd:element name="tickerSymbol" type="xsd:string"/>
         <xsd:element name="TradePrice">
            <xsd:element name="price" type="xsd:float"/>
       <wsdl:message name="GetLastTradePriceInput">
        <wsdl:part name="body" element="stocks-xsd:TradePriceRequest"/>
       <wsdl:message name="GetLastTradePriceOutput">
        <wsdl:part name="body" element="stocks-xsd:TradePrice"/>
       <wsdl:portType name="StockQuotePortType">
        <wsdl:operation name="GetLastTradePrice">
         <wsdl:input message="stocks:GetLastTradePriceInput"/>
         <wsdl:output message="stocks:GetLastTradePriceOutput"/>
       <wsdl:binding name="StockQuoteSoapBinding" type="stocks:
        <soap:binding style="document" transport="http://
        <wsdl:operation name="GetLastTradePrice">
         <soap:operation soapAction="
          <soap:body use="literal"/>
          <soap:body use="literal"/>
       <wsdl:service name="StockQuoteService">
        <wsdl:documentation>My first service</wsdl:documentation>
        <wsdl:port name="StockQuotePort" binding=
         <soap:address location="

<!- -
 Alice pays $2.00 each time she exercises her right to use the stock
  quote service
 - ->

The following are some XrML resources:





SAML, XACML, XrML: Overlapping Standards? - XACML and XrML both deal with authorization. They share requirements from many of the same application domains. Both share the same concepts but use different terms. Both are based on XML Schema.

Both SAML and XrML have the concept of attribute assertion. In SAML it's just an Attribute, whereas in XrML it's based on the PossessProperty construct.

Both XACML and XrML deal with an authorization policy. In XACML it's just Policy, whereas in XrML its part of the License construct.

XrML operates in terms of licenses and rights. XACML operates in terms of policies. But attributes can seem like rights.

XACML is consistent with and builds on SAML. XrML may be focused more tightly on the specific issues of Digital Rights Management. In the meantime, however, the overlap is confusing; OASIS knows this and claims to be trying to make sense of it.

Because it is trivial to write an XSLT transform for an SAML:Request into XACML:Context, it follows that the two are closely related.

It is also interesting to note that SAML's PDP is implemented with XACML. Figure 9.13 shows how SAML depends on XACML.

Trust, Access Control, and Rights for Web Services

Figure 9.13  How SAML PDPs communicate policy using XACML.

What does all of this overlap portend? It's hard to say, but OASIS is trying to simplify matters. There are always the politics of standards with territories that need to be protected, so expect this situation to take quite some time to settle.

SamsThis chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.

Buy this book now.

>>> More Security Articles          >>> More By Sams Publishing

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates


Dev Shed Tutorial Topics: