Web services accomplish requirements, which are complicated functions. To apply web services for a requirement, it should be decomposed into sub-functions for web services. After the decomposition, web services are selected to compose paths. During composition, secure access of web services should be considered. This paper proposes a twoleveled web service access control policy and a web service composition algorithm. We embed the policy in the algorithm. The upper level access control policy uses attributes and credentials to filter out the web services that cannot be invoked by a requester. The lower level policy compares the credit level numbers of web services with the security level numbers of arguments to evaluate the possibility of leaking the arguments. The possibility facilitates evaluating the successfulness of executing a path. After access control, the composition algorithm composes multiple paths.