HomeSecurity Page 8 - Trust, Access Control, and Rights for Web Services, Part 2
XrML Use Case Example - Security
Web services themselves provide a powerful new approach to PKI that prevents each Web service requestor and provider from having to build their own PKI: accessing a trusted PKI as a service. XKMS aims to do just that. This is part 2 of chapter 9 from Securing Web Services with WS-Security, by Rosenberg and Remy (ISBN 0672326515, SAMS, 2004).
The following use case illustrates how to use XrML in a service-centric business model, which focuses on specifying Rights, Conditions, and metadata for services, such as Web services. In this use case, Alice pays $2 each time she uses a Web service to receive stock quotes. Figure 9.11 illustrates this use case.
Figure 9.11 Alice may use the content from a Stock Quote Web service if she pays $2 for such use.
To specify this information in XrML, you need to
Identify Alice as the person to whom the Rights are granted.
Specify the Right that Alice is granted—the right to use the stock service.
Identify the Resource (the Web service) to which Alice is being granted rights.
Specify the Condition (the fee) that applies when Alice exercises her right to use the stock service.
Figure 9.12 illustrates the structure of Alice's license.
Figure 9.12 The XrML license for Alice's use case.
The license in Listing 9.12 illustrates how Alice's right to use a stock quote service subject to a fee could be expressed in XrML. In this example, the prefix sx: identifies elements from the standard extension. The prefix service: identifies elements from the sample service extension. The prefix stocks: refers to the WSDL definition namespace. The prefix dsig: refers to the namespace that defines XML signatures. All other elements are defined in the XrML core.
Listing 9.12 XrML Specifying Alice's Rights to Use a Fee-Based Stock Quote Service
<!- - Alice is represented as the holder of a particular key - -> <keyHolder licensePartId="Alice"> <info> <dsig:KeyValue> <dsig:RSAKeyValue> <dsig:Modulus>4hre4NP7R...</dsig:Modulus> <dsig:Exponent>AQABAA==</dsig:Exponent> </dsig:RSAKeyValue> </dsig:KeyValue> </info> </keyHolder>
<!- - Alice is granted the right to use the stock quote service - -> <service:use/>
<!- - Alice pays $2.00 each time she exercises her right to use the stock quote service - -> <sx:fee> <sx:paymentPerUse> <sx:rate> <sx:amount>2.00</sx:amount> <sx:currency>US</sx:currency> </sx:rate> </sx:paymentPerUse> <sx:to> <sx:aba> <sx:institution>13937151</sx:institution> <sx:account>4281938823</sx:account> </sx:aba> </sx:to> </sx:fee> </grant> </license>
SAML, XACML, XrML: Overlapping Standards? - XACML and XrML both deal with authorization. They share requirements from many of the same application domains. Both share the same concepts but use different terms. Both are based on XML Schema.
Both SAML and XrML have the concept of attribute assertion. In SAML it's just an Attribute, whereas in XrML it's based on the PossessProperty construct.
Both XACML and XrML deal with an authorization policy. In XACML it's just Policy, whereas in XrML its part of the License construct.
XrML operates in terms of licenses and rights. XACML operates in terms of policies. But attributes can seem like rights.
XACML is consistent with and builds on SAML. XrML may be focused more tightly on the specific issues of Digital Rights Management. In the meantime, however, the overlap is confusing; OASIS knows this and claims to be trying to make sense of it.
Because it is trivial to write an XSLT transform for an SAML:Request into XACML:Context, it follows that the two are closely related.
It is also interesting to note that SAML's PDP is implemented with XACML. Figure 9.13 shows how SAML depends on XACML.
Figure 9.13 How SAML PDPs communicate policy using XACML.
What does all of this overlap portend? It's hard to say, but OASIS is trying to simplify matters. There are always the politics of standards with territories that need to be protected, so expect this situation to take quite some time to settle.
This chapter is from Securing Web Services Security with WS-Security, by Jothy Rosenberg and David Remy (Sams, 2004, ISBN: 0672326515). Check it out at your favorite bookstore today.