在網路服務(Web services)被廣泛地用來包裝組織內與跨組織的人工與自動服務之後，許多研究提出，將這些網路服務組合起來，滿足跨組織的工作流程(Workflow)中不同任務(Task)的需求，而且還要滿足不同組織中的存取控制限制(Access Control Constraint)。本研究提出一個動態選擇策略，為跨組織工作流程中的每個任務，選擇適當網路服務。此選擇策略除了可以避免違反存取控制限制之外，還能選擇讓流程成功機會較高的網路服務。實驗顯示我們的選擇策略可以避免違反存取控制限制，在有存取控制限制的情況下比Aggregate Reliability 和Random 兩種方法表現得好。

Web services have emerged as a de facto standard for encapsulating services within or across organization boundaries. Various proposals have been made to compose Web services into workflow so as to meet the goal previously unaccomplished by a single entity. This thesis intends to investigate the Web services-based workflow access control problem. It starts by analyzing the various access control constraints proposed in the literatures and presenting three primitive constructs that are capable of specify these constraints. It then proposes a Web service selection approach that dynamically chooses a performer for each task in the workflow, not only to satisfy all access control constraints currently but also to increase the chance of completing the entire process in the future. The proposed approach is evaluated using synthetic data and is shown to result in the execution that is less likely to violate any specified access control constraints.

CHAPTER 1 - Introduction 1
1.1 Background 1
1.2 Motivation 2
1.3 Thesis Organization 5
CHAPTER 2 - Literature Review 6
2.1 Web Services Technologies 6
2.1.1 SOAP 6
2.1.2 WSDL 7
2.1.3 UDDI 7
2.2. Web Services Composition 8
2.3. Workflow Access Control 9
2.4. Workflow Access Control Constraints 9
2.5. Dynamic Web Service Selection 10
CHAPTER 3 - Problem Definition 12
3.1 Preliminaries 12
3.2 Problem description 19
CHAPTER 4 - Our Approach 20
4.1 Architecture 20
4.2 Modeling the access control constraints 22
4.2.1 Separation of Duties (SoD) 22
4.2.2 Binding of Duties (BoD) 23
4.2.3 Session Limit 23
4.2.4 Pre-Requisite Roles 23
4.2.5 Service Restriction 24
4.2.6 Seniority 24
4.2.7 Location/time-based 24
4.2.8 Disallowed delegation sequence 24
4.3 Adjusting the FSMs of participants and component WSs 25
4.4 Building the composition of the target FSM, participants and component WSs
31
4.5 Computing Aggregated Reliabilities for Web Service Selection 32
4.6 Enforcing disallowed delegation sequence at runtime 34
CHAPTER 5 - Performance Evaluation 36
5.1 TripPlan Scenario 36
5.2 Experiment Design 40
5.3 Experiment Result 44
CHAPTER 6 - Conclusion 52
References 53

Bertino, E., Crampton, J., & Paci, F. (2006). Access control and authorization constraints for WS-BPEL. Web Services, 2006. ICWS '06. International Conference on, 275-284.
Bertino, E., Ferrari, E., & Atluri, V. (1999). The specification and enforcement of authorization constraints in workflow management systems. ACM Trans.Inf.Syst.Secur., 2(1), 65-104.
Bertino, E., Squicciarini, A., Paloscia, I., & Martino, L. (2006). Ws-AC: A fine grained access control system for web services. World Wide Web, 9(2), 143-171.
Bhatti, R., Bertino, E., & Ghafoor, A. (2005). A trust-based context-aware access control model for web-services. Distributed and Parallel Databases, 18(1), 83-105.
Cardoso, J. Sheth, A. Miller, J. Arnold, J. Kochut,K. (2004). Quality of service for workflows and web service processes
Christensen, E., Curbera, F., Meredith, G., & Weerawarana, S. (2007). Web services description language (WSDL) 1.1. Unpublished manuscript. Retrieved 10 17,2007, from
http://www.w3.org/TR/wsdl
Clement, L., Hately, A., von Riegen, C., & Rogers, T. (2004). UDDI version 3.0.2. Unpublished manuscript. Retrieved 10 17, 2007, from http://uddi.org/pubs/uddi-v3.0.2-20041019.htm
Crampton, J. (2005). A reference monitor for workflow systems with constrained task execution. SACMAT '05: Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies, Stockholm, Sweden. 38-47.
Curbera, F., Duftler, M., Khalaf, R., Nagy, W., Mukhi, N., & Weerawarana, S. (2002). Unraveling the web services web: An introduction to SOAP, WSDL, and UDDI. Internet Computing, IEEE, 6(2), 86-93.
Hwang, S., Lim, E., Lee, C., & Chen, C. (2007). On composing a reliable composite web service: A study of dynamic web service selection. ICWS, 184-191.
Mitra, N., & Lafon, Y. (2007). SOAP version 1.2 part 0: Primer (second edition). Unpublished manuscript.
Nakos, G., & Joyner, D. (1998). Linear algebra with applications (1st ed.) Brooks/Cole Pub. Co.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. Computer, 29(2), 38-47.
Srivatsa, M., Iyengar, A., Mikalsen, T., Rouvellou, I., & Jian Yin. (2007). An access control system for web service compositions. Web Services, 2007.ICWS 2007.IEEE International Conference on, , 1-8.
Thomas, J., Paci, F., Bertino, E., & Eugster, P. (2007). User tasks and access control over Web services
Tolone, W., Ahn, G., Pai, T., & Hong, S. (2005). Access control in collaborative systems. ACM Comput.Surv., 37(1), 29-41.
Zeng, L., Benatallah, B., Ngu, A. H. H., Dumas, M., Kalagnanam, J., & Chang, H. (2004). QoS-aware middleware for web services composition. IEEE Transactions on Software Engineering, 30(5), 311-327.