Refactoring service-based systems: how to avoid trusting a workflow service,

Grid systems span multiple organizations, so their workflow processes have security requirements, such as restricting access to data or ensuring that process constraints are observed. These requirements are often managed by the workflow component, because of the close association between this sub-system and the processes it enacts. However, high-quality security mechanisms and complex functionality are difficult to combine, so designers and users of workflow systems are faced with a tradeoff between security and functionality, which is unlikely to provide confidence in the security implementation. This paper resolves that tension by showing that process security can be enforced outside the workflow component. Separating security and process functionality in this way improves the quality of security protection, because it is implemented by standard system mechanisms; it also allows the workflow component to be deployed as a standard service, rather than a privileged system component. To make this change of design philosophy accessible outside the security community it is documented as a collection of refactorings, which include problem templates that identify suspect design practice, and target patterns that provide solutions. Worked examples show that these patterns can be used in practice to implement practical applications, with both traditional workflow security concerns, and Grid requirements.