The SCIFC Model for Information Flow Control in Web Service Composition


Existing web service access control models focus on individual web services, and do not consider service composition. In composite services, a major issue is information flow control. Critical information may flow from one service to another in a service chain through requests and responses and there is no mechanism for verifying that the flow complies with the access control policies. In this paper, we propose an innovative access control model to empower the services in a service chain to control the flow of their sensitive information. Our model supports information flow control through a back-check procedure and pass-on certificates. We also introduce additional factors such as the carry-along policy, security class, and transformation factor, to improve the protocol efficiency. A formal analysis is also presented to show the power and complexity of our protocol.


Web services, authorisation, protocols, software architecture

Date of this Version



2009 IEEE International Conference on Web Services; Service-Oriented Computing and Applications (SOCA), 2009 Issue Date: 14-15 Jan. 2009 page(s): 1 - 8, Taipei