Field of the Invention
This invention relates to computer security and, more particularly, to techniques for controlling access to web services resources.
Description of the Related Art
The Internet and its associated communication protocols and infrastructure enable sophisticated information exchange to occur irrespective of the locations of the participants. As access to the public Internet continues to proliferate, and as Internet protocols become increasingly common for information exchange within private networks (intranets), techniques for implementing various computing applications and services in a distributed fashion continue to evolve.
In the web services model of computing, an entity may make some sort of computational service available to users through an interface using web-based Internet protocols such as the Hypertext Transport Protocol, for example. Thus, instead of simply presenting relatively static read-only data such as web pages to a user, an entity may employ similar techniques to implement more sophisticated services as web services. For example, a generic data storage service may be presented to users as a web service. Using appropriate web services protocols, users with Internet access may be able to store data objects to the data storage service and later access them from any location.
The web services approach may facilitate the presentation of services or data to large numbers of users in a location- and platform-independent fashion. However, it may not be desirable to allow all users equal access to all services or data. For example, a user that stores persistent state information (e.g., a data object) via a web service may wish to restrict other users from reading or modifying the stored information. Similarly, an entity offering a web service may wish to offer different levels of service to different users, for example on the basis of a user's willingness to pay for a given level of service.
Existing techniques for managing control of access to web services resources may generally lack in sophistication. Such existing techniques may typically distinguish user privileges at the domain level, offering or denying a user access to all services offered through a particular web domain or high-level address based on user authentication. Under such techniques, it may be difficult to distinguish web services resources at finer levels of granularity, such as the level of an individual object or other web services resource.
Management of web services access control information at finer levels of granularity may also create data management challenges, particularly for large-scale web services implementations. For example, in systems with many different users and web services resources to be managed, a considerable quantity of access control data may need to be generated, stored, and selectively retrieved in order to enforce the desired access control policies. Such data management tasks may impact the overall performance of the services offered, for example if completion of a web services request is dependent upon retrieval and evaluation of relevant access control data.