3PAC: Enforcing Access Policies for Web Services

Web Services fail to deliver on the ubiquitous deployment and seamless interoperability expected from Service Oriented Architectures, due to the lack of a uniform, standards-based approach to all aspects of security. In particular, the enforcement of access policies in Web Services is not addressed adequately. We present a novel approach to the distribution and enforcement of access policies for Web Services (called 3PAC) which enforces the static, request-independent parts of the access policy during service discovery, and uses signed access tokens to do policy enforcement for each service request locally and hence efficiently. Our approach scales well and can be implemented in existing deployments.