1. Field of the Invention
The present invention relates to security federation of a plurality of composed services in a distributed computing environment, and particularly, to a system and method for performing a unified access control for a plurality of composed services in a distributed computing environment through combining centralized and distributed computing.
2. Description of Related Art
With the rapid growth of service oriented architecture, SOA, and Web services, more and more applications are composed of distributed Web services hosted by different organizations and enterprises. A user usually has different rights and privileges for different services. At the time of the running of an application, when the user requests access to one or more functions of a certain service, the user is not permitted to have access unless the user has a role permitting access to the function requested.
Therefore, for applications composed of distributed Web services hosted by different organizations and enterprises, when the user accesses a certain composed service to invoke a function there, and the function needs to request information from other composed services to fulfill a complete service, it is necessary to re-perform a security verification for the user with respect to each of the composed services. By way of example, the user needs to access a network composed service A to invoke a function there, and passes the security verification at the service A. Since the function in the service A, when executed, needs to invoke a function operation in another composed service B to fulfill a complete service, and the service B is owned by another enterprise and has its own security verification information, the service B requests performing the security verification on the user again. Such repetitious verifications are time consuming and inefficient. It is very inconvenient and troublesome for the user to input security information including his username, password and role again.
Network service security federation is proposed with respect to this problem so as to provide a unified security management for a plurality of composed services. By means of the network service security federation, the security certification information can be brought to the service B when the service A invokes the service B, so that the service B can verify the user directly without requiring the user to input the security certification information again. Therefore, invoking the service B by the service A is transparent to the user.
The verification of the security federation can be divided into three levels, i.e., identification, authentication, and authorization. The identification verifies that a user who requests to access a service is actually the user whom it claims to be through a user identifier (ID) and a login password; the authentication decides what role the user who passes the identification has in the service; and the authorization decides what operation rights, e.g., read-only, editing or the like, the user having a certain role with respect to resources to which the execution of a requested function is related.
To realize the network service security federation, a conventional method is to adopt a centralized management architecture as shown in FIG. 1. In this solution, a unified access control system is utilized to provide identification, authentication, and authorization for a plurality of composed services.
As shown in FIG. 1, an administrator of the unified access control system creates an access control list, ACL. Included in this list, for each user of composed services are: roles in all of the composed services, what operations the roles can perform, and to what resources the operations will relate. These parameters are recorded. In this way, when a user intends to access a certain service to request one or more functions in the service, the system matches roles of the user according to the access control list, and further determines whether the user has a right to perform the requested functions.
For example, as shown in FIG. 1, when a user Esther accesses a service A to request to edit accounts, the system determines that her role in the service A is administrator and that she can perform the requested editing operation according to the ACL. The action of the account editing operation in the service A needs to invoke a currency type creating operation in a service B. At this time, the system will automatically acquire data from the ACL that a role of the user Esther in the service B is VIP, and judge that the user has a right to perform the invoked creating operation. Subsequently, service B permits the user Esther to perform the operation and returns a result of the operation to service A.
However, in the above solution, because the system administrator has to record in the ACL roles that each user has, operations that the roles can perform, and resources that the operations relate to, the work load will be very heavy, particularly when there are many users. Moreover, the administrator must modify the ACL manually when a new composed service is added into the system, role information is changed, or a security policy is changed. Therefore, the burden of the system administrator is very large and the scalability of the solution is not good.
Another conventional method for realizing the network service security federation is by building security features, e.g., roles, into codes, which means that the security must be addressed directly through the codes by providing appropriate statements. This method requires changing the codes when access logics are changed, which proves to be more inconvenient.
Therefore, there is a need for a unified security access control system and method which can provide a flexible, dynamic, and light-weight security solution.