On the design, implementation and application of an authorisation architecture for web services

This paper proposes an authorisation architecture for web services. It describes the architectural framework, the administration and runtime aspects of our architecture and its components for secure authorisation of web services as well as the support for the management of authorisation information. The paper then describes the implementation aspects of the architecture. The architecture has been implemented and integrated within the .NET framework. The authorisation architecture for web services is demonstrated using a case study in the healthcare domain. The proposed architecture has several benefits. First and foremost, the architecture supports multiple access control models and mechanisms; it supports legacy applications exposed as web services as well as new web service-based applications built to leverage the benefits offered by the Service-Oriented Architecture; it is decentralised and distributed and provides flexible management and administration of web services and related authorisation information. The proposed architecture can be integrated into existing middleware platforms to provide enhanced security to web services deployed on those platforms.