Reasoning about Events to Specify Authorization Policies forWeb Services Composition

Availability of a wide variety of Web services over the Internet offers opportunities of providing new value added services built by composing them out of existing ones. By integrating individual existing Web services the technology enables the provision of advanced and sophisticated services, such as allowing users to use different types of resources and services simultaneously in a simple procedure. However the management and maintenance of a large number of Web services is not easy and, in particular, needs appropriate authorization policies to be defined so as to realize reliable and secure Web Services. The required authorization policies can be quite complex, resulting in unintended conflicts, which could result in information leaks or prevent access to information needed. This paper proposes a logic based approach using for specifying authorization policies and detecting conflicts resulting from the combination of various kinds of authorization and constraint policies used in Web services environments. The method not only enables static detection of policy conflicts but also yields information that is helpful for correcting the policies. An automated induction-based theorem prover SPIKE is used as verification back-end.