Recently, distributed computing technologies have developed rapidly, such as web services and other XML-based technologies. Information systems enter into a wide-area distributed computing environment. For web services based information systems, the separation between functions and resources enables reusability. However, it is difficult for traditional Access control models to deal with. The security of system encounters with challenges. This paper proposes a double access control model based on attributes to achieve the access control of system functions and resources. The access control decision of functions depends on subject attributes. The decision of resources relies on three attributes': subject attributes, resources attributes and environments attributes. Consistency of access controls between functions and resources is solved by subject's attributes certificate and shared policy. Certificate proxy is utilized to achieve single sign-on, authenticate and authority in wide-area environment. Furthermore, we depict the process flow of the access control in detail. The proposed model is implemented on XACML.NET package and applied in a web services based information system in NET Environment. At last, the performance of resource access control is analyzed and tested by VSTE-ST 2005. The results of practical application and experiment prove the feasibility and usability of the model.
