Recently, there has been an increased amount of attention dedicated to WS-Policy - it has become a W3C submission and a working group was formed to standardize the specification. In our previous work, we provided a mapping of WS-Policy to OWL-DL. In this paper, we continue that work by analyzing the operation of policy intersection (determining whether two web service policies are compatible). We show how this operation motivates the use of a non-monotonic extension of OWL in the form of OWL default rules. We discuss our prototype implementation of an OWL defaults reasoner based on Baader and Hollunder's terminological defaults.
Recently, there have been many different web service policy language proposals with
varying degrees of expressivity and complexity [
In previous work [
To provide reasoning support for OWL defaults we have extended an open-source
OWL-DL reasoner (Pellet). Our implementation is based on Baader and Hollunder’s
3 WS-Policy Working Group web site: http://www.w3.org/2002/ws/policy/
terminological default logic [
In this section we provide brief overview of the WS-Policy framework and Reiter’s default logic, which served as the basis of our implementation. 2.1
The WS-Policy Framework provides a general purpose model and syntax to describe the policies of a Web service. Its scope is limited to allowing endpoints to specify requirements and capabilities needed for establishing a connection. Its initial goal is not to be used as a language for expressing more complex, application-specific policies that take effect after the connection is established. For this purpose, WS-Policy introduces a simple and extensible grammar that consists of assertions and alternatives.
An assertion is the basic unit of a policy. For example, an assertion could declare that the message should be encrypted. The actual definitions and meaning of the assertions are domain-dependent and not defined in the WS-Policy Framework. An assertion is defined by a unique Qualified Name, and can be a simple string or a complex object with many sub elements and attributes. Note that an assertion can contain a nested policy expression.
A set of assertions is called a policy alternative, and a set of alternatives comprises a policy. For an alternative to be supported by a web service requester, all assertions in that alternative have to be satisfied by that requester. For a policy to be supported by a requester, one or more alternatives need to be supported. Following is a schema outline for the normal form of a policy expression: Reiter’s default logic is a nonmonotonic formalism for expressing commonsense rules of reasoning. These rules, called default rules (or simply defaults), are of the form: α : β
γ where α, β, γ are first-order formulae. We say α is the prerequisite of the rule, β is the justification and γ the consequent. Intuitively, a default rule can be read as: if I can prove the prerequisite from what I believe, and the justification is consistent with what I believe, then add the consequent to my set of beliefs. <wsp:Policy> <wsp:ExactlyOne>
[ <wsp:All> [<Assertion> </wsp:ExactlyOne> </wsp:Policy> 2.2
</Assertion>]* </wsp:All> ]* Definition 1 A default theory is a pair hW , Di where W is a set of closed first-order formulae (containing the initial world description) and D is a set of default rules. A default theory is closed if there are no free variables in its default rules.
Possible sets of conclusions from a default theory are defined in terms of extensions of the theory. Extensions are deductively closed sets of formulae that also include the original set of facts from the world description. Extensions are also closed under the application of defaults in D - we keep applying default rules as long as possible to generate an extension.
Default rules can conflict. A simple example is when two defaults d1 and d2 are applicable yet the consequent of d1 is inconsistent with the consequent of d2. We then typically end up with two extensions: one where the consequent of d1 holds, and one where the consequent of d2 holds. 3
In [
However, due to the open world assumption present in OWL-DL, our previous mapping produces non-intuitive results. For example, if a request r comes in such that r : A, and the policy P contains only two alternatives, A and B, we will not be able to infer that the request r satisfies P (i.e., r is of type (A t B) u ¬(A u B) ) unless we explicitly state that r : ¬B. To solve this issue, we simplified the mapping to represent <wsp:exactlyOne> as logical disjunction (inclusive OR), and in addition we have made the classes representing the alternatives pair-wise disjoint, so even though a requester supports more than one alternative, he cannot use more than one at a time. This updated translation is more concise than the old one (compare A t B with (A t B) u ¬(A u B)). In this scenario, if a requester comes in that is a member of two alternatives, we will get an inconsistency.
Example 1. Consider the example policy in Figure 1. For each policy assertion, we have a separate OWL class (RequireDerivedKeys, WssUsernameToken10, WssUsernameToken11). Then, each alternative is simply the conjunction of its assertions.
Alt1 ≡ RequireDerivedKeys u WssUsernameToken10
Alt2 ≡ RequireDerivedKeys u WssUsernameToken11
In our previous work [
There is one additional reasoning service that is useful for policies and warrants
more discussion. It has been argued (see [
For example, the why query mentioned in [
These techniques are already implemented in Pellet, and there is also a UI for debugging implemented in SWOOP. 5
Policy intersection is used when a web service requester and provider both express
policies and want to compute the compatible policy alternatives between them. This
commutative and associative function takes two policies as input and returns a policy
containing the compatible alternatives. As defined in [
Determining whether two policy alternatives are compatible involves domain-specific processing. In an attempt to automate the operation, one might be tempted to mark the incompatible policy assertions as mutually disjoint classes. Then, to determine whether two policies A and B are compatible we only check whether A u B is satisfiable. However, this will prevent us from having entities support assertions of different types, since it will render the policy ontology inconsistent. Since it is usually the case that entities do support different assertion types (example: an entity can support some specific encoding and some type of reliability, and encoding and reliability are different assertion types), the simple approach of marking incompatible assertions as disjoint classes is incorrect.
To overcome this problem, we introduce an additional property in the policy ontology - compatibleWith. Then, for two policy assertion classes A and B, if we want to say that A is not compatible with B, we can simply use A v ¬∃compatibleWith.B.
As stated in [
compatibleWith(x, y)
In the cases when two assertions are incompatible (even though they are a inherit from the same type) the policy developer can add a disjoint axiom by hand, overriding the default rule above.
The basic algorithm would be as follows: for two policies A and B and a default theory KB = hW, Di (where W is an OWL-DL ontology and D is a set of defaults), to determine whether they are compatible start with the alternatives of A and try to find one compatible alternative in B, and vice-versa. If for at least one alternative in one policy, we succeed in finding compatible alternatives in the other policy, we conclude that the policies can intersect. The intersection of the policies is the policy containing the mutually compatible set of alternatives. To determine whether two alternatives are compatible, we try to match their assertions. For each assertion Asserta ∈ A, we try to find an assertion Assertb ∈ B s.t. KB |= compatibleWith(Asserta, Assertb). If the assertion has a nested policy, then we try to match it with a nested policy from the other alternative, by asking recursively whether they are compatible. 6
Both of the default logic scenarios described above could be plausibly met with Reiter’s
default logic, which is one of the most studied non-monotonic logics. Reiter’s default
logic, while very expressive, is, like many non-monotonic formalisms, known to be
computationally difficult even in the propositional case. In [
We have implemented a prototype of the terminological defaults of Baader and
Hollunder that is based on recent advances in description logic reasoning: tableaux tracing
for the description logic SHOIN and incremental reasoning support. The
implementation is provided as an extension to Pellet and it provides realization of individuals in
terminological default theories. We have also provided a UI for defaults by extending
the open source OWL Ontology editor SWOOP. More specifically, we added support
for default rules editing and updating the current ontology with the set of inferred facts
from the defaults. We refer the reader to [
There have been a number of proposals for ontology-based web policy systems [
Rei [
KaOS Policy and Domain Services [
In addition, there are a number of proposals [
While most policy language proposals are based on logic programs, in this paper we explored the alternative of using OWL-DL as a language for expressing web service policies. We argued that the policy services that DL reasoners provide out of the box, the advances in explanation mechanisms for DL, and the ability to closely integrate OWL-DL with default logic make an OWL-based policy framework worth exploring. Also, OWL-DL is a W3C standard, a language with clear syntax and semantics that is ubiquitous in the Semantic Web. As a consequence, the number of reasoners and OWLDL editors has been growing steadily. A policy language based on OWL-DL should be able to capitalize on the popularity of OWL-DL.
Despite the advantages mentioned above, policies, being associated with rules first
and foremost, seem to demand greater expressivity than OWL-DL (as argued in [
During the past couple of years, there has been great advances [
Finally, it is unfortunate that we cannot provide clear semantics for policy
intersection because its dependence on domain-specific reasoning. The WS-Policy
framework requires each domain to specify its own policy assertions, but there is no generic,
domain-independent language for expressing these assertions. As a result, every
domain has its own language (with unclear semantics ) that makes it hard to reason and
analyze the assertions. We plan to investigate how we could couple OWL with concrete
domains (e.g. XPath) so as to be able to express and give semantics to some of these
domains. A promising step toward a domain-independent policy assertions language is
[