XML-Based specification for web services document security

The Internet and related technologies have seen tremendous growth in distributed applications such as medicine, education, e-commerce, and digital libraries. As demand increases for online content and integrated, automated services, various applications employ Web services technology for document exchange among data repositories. Web services provide a mechanism to expose data and functionality using standard protocols, and hence to integrate many features that enhance Web applications. XML, a well-established text format, is playing an increasingly important role in supporting Web services. XML separates data from style and format definition and allows uniform representation, interchange, sharing, and dissemination of information content over the Internet.(1,2) It is thus a natural contender as a standard for marking up the data that distributed Web-based applications exchange. This interoperability paradigm lets businesses dynamically publish, discover, and aggregate a range of Web services through the Internet to more easily create innovative business processes and value chains.(3) This advantage, however, is accompanied by security concerns related to disseminating secure documents. Security has become a primary concern for all enterprises exposing sensitive data and business ss processes as Web services. XML and Web services provide a simplified application integration framework that drives demand for models that support secure information interchange. Examples of secure Web services that require stricter access controls include searching digital library contents based on user privileges, retrieving results from a medical center's patient database based on user status, and exchanging sensitive financial data between institutions based on user membership levels. Providing document security in XML-based Web services requires access control models that offer specific capabilities. Our XML-based access control specification language addresses a new set of challenges that traditional security models do not address.