Authorization Policies in Security-Sensitive Web Services and Applications - Formal Modeling and Analysis