Cross domain resource sharing and collaborations have become pervasive in today’s service oriented organizations. Existing approaches for the realization of cross domain access control are either focused on the model level only without concrete implementation mechanisms, or not general enough to provide a flexible¬† framework for enterprise web applications.

In this paper, we present xDAuth, a framework for the realization of cross domain access control and delegation with RESTful web service architecture. While focusing on real issues under the context of cross domain access scenarios such as no predefine d trust relationship between a service provider domain and service requester domain, xDAuth leverages existing web technologies to realize desired security requirements while supporting flexible and scalable security policies and privacy protection with low performance overhead.

We have implemented xDAuth in a medical module in OpenERP, an open source ERP system. Our evaluation demonstrates that xDAuth is a feasible framework towards general cross domain access control for service oriented architectures.

xDAuth Protocol Workflow


  • Domain Registration

The domain registration is a process through which service provider and consumer both registers itself with the delegation service.
This process requires information of the SP including service name, service access URL, and other metadata such as the services it offered (e.g. blog, finance solution, social networking, etc).
As the results of an registration, the DS returns a domain key and secret pair. The domain key is a 30-byte public string that is unique to identify the domain, and the secret is a 10-byte shared secret between the DS and the domain.

  • Publishing Policy

Each SP domain has an internal authorization service that approves delegation requests made from local users. The local authorization service provides necessary interfaces and tools to help the user make appropriate selections, such as corresponding objects and set of access actions which she wants to delegate, and applicable constraints such as valid time period.
Upon this specification, the authorization service can approve the request based on pre-defined delegation control policies in the domain. In reality, the approval of a delegation request can be done automatically by system, or manually approved by administrators.

  • xDAuth Policy Generation

In xDAuth, a user from an SR domain is allowed to access resources in an SP domain, if allowed by cross access or delegation policies of the SP.
For cross domain delegation, a user or an administrator in the SP makes a delegation request to an internal authorization service.
The delegation request is verified against a set of delegation control policies in the SP. Therefore, an xDAuth policy is generated by combining the information contained in the delegation request and that in the delegation control policies.

see more…

Leave a Reply