An Aspect-Oriented Approach to Declarative Access Control for Web Applications

VeRA: Verifying RBAC and Authorization Constraints Models of Web Applications

International Journal of Software Engineering and Knowledge Engineering ◽

10.1142/s0218194021500182 ◽

2021 ◽

Vol 31 (05) ◽

pp. 655-675

Author(s):

Thanh-Nhan Luong ◽

Hanh-Phuc Nguyen ◽

Ninh-Thuan Truong

Keyword(s):

Access Control ◽

Programming Languages ◽

Web Application ◽

Web Applications ◽

Implementation Process ◽

Record Management ◽

Role Based Access Control ◽

Security Issue ◽

Control Policies ◽

Access Control Policies

The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers often use access control techniques to restrict some security breaches to software systems’ resources. The addition of authorization constraints to the role-based access control model increases the ability to express access rules in real-world problems. However, the complexity of combining components, libraries and programming languages during the implementation stage of web systems’ access control policies may arise potential flaws that make applications’ access control policies inconsistent with their specifications. In this paper, we introduce an approach to review the implementation of these models in web applications written by Java EE according to the MVC architecture under the support of the Spring Security framework. The approach can help developers in detecting flaws in the assignment implementation process of the models. First, the approach focuses on extracting the information about users and roles from the database of the web application. We then analyze policy configuration files to establish the access analysis tree of the application. Next, algorithms are introduced to validate the correctness of the implemented user-role and role-permission assignments in the application system. Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool is also experimented with a number of access violation scenarios in the medical record management system.

Download Full-text

Fine-Grained Role- and Attribute-Based Access Control for Web Applications

Communications in Computer and Information Science - Software and Data Technologies ◽

10.1007/978-3-642-45404-2_12 ◽

2013 ◽

pp. 171-187 ◽

Cited By ~ 2

Author(s):

Seyed Hossein Ghotbi ◽

Bernd Fischer

Keyword(s):

Access Control ◽

Web Applications ◽

Fine Grained ◽

Attribute Based Access Control

Download Full-text

Programming Situational Mobile Web Applications with Cloud-Mobile Convergence: An Internetware-Oriented Approach

IEEE Transactions on Services Computing ◽

10.1109/tsc.2016.2587260 ◽

2019 ◽

Vol 12 (1) ◽

pp. 6-19 ◽

Cited By ~ 5

Author(s):

Gang Huang ◽

Xuanzhe Liu ◽

Yun Ma ◽

Xuan Lu ◽

Ying Zhang ◽

...

Keyword(s):

Web Applications ◽

Mobile Web ◽

Oriented Approach

Download Full-text

Automated Inference of Access Control Policies for Web Applications

Proceedings of the 20th ACM Symposium on Access Control Models and Technologies - SACMAT '15 ◽

10.1145/2752952.2752969 ◽

2015 ◽

Cited By ~ 3

Author(s):

Ha Thanh Le ◽

Cu Duy Nguyen ◽

Lionel Briand ◽

Benjamin Hourte

Keyword(s):

Access Control ◽

Web Applications ◽

Control Policies ◽

Access Control Policies ◽

Automated Inference

Download Full-text

Resolving authorization conflicts by ontology views for controlled access to a digital library

Journal of Knowledge Management ◽

10.1108/jkm-10-2014-0435 ◽

2015 ◽

Vol 19 (1) ◽

pp. 45-59 ◽

Cited By ~ 1

Author(s):

Subhasis Dasgupta ◽

Pinakpani Pal ◽

Chandan Mazumdar ◽

Aditya Bagchi

Keyword(s):

Access Control ◽

Digital Library ◽

Digital Libraries ◽

Web Applications ◽

Control Model ◽

Access Control Model ◽

Content Type ◽

Proposed Model ◽

Ontology Structure ◽

Subject Areas

Purpose – This paper provides a new Digital Library architecture that supports polyhierarchic ontology structure where a child concept representing an interdisciplinary subject area can have multiple parent concepts. The paper further proposes an access control mechanism for controlled access to different concepts by different users depending on the authorizations available to each such user. The proposed model thus provides a better knowledge representation and faster searching possibility of documents for modern Digital Libraries with controlled access to the system. Design/methodology/approach – Since the proposed Digital Library Architecture considers polyhierarchy, the underlying hierarchical structure becomes a Directed Acyclic Graph instead of a tree. A new access control model has been developed for such a polyhierarchic ontology structure. It has been shown that such model may give rise to undecidability problem. A client specific view generation mechanism has been developed to solve the problem. Findings – The paper has three major contributions. First, it provides better knowledge representation for present-day digital libraries, as new interdisciplinary subject areas are getting introduced. Concepts representing interdisciplinary subject areas will have multiple parents, and consequently, the library ontology introduces a new set of nodes representing document classes. This concept also provides faster search mechanism. Secondly, a new access control model has been introduced for the ontology structure where a user gets authorizations to access a concept node only if its credential supports it. Lastly, a client-based view generation algorithm has been developed so that a client’s access remains limited to its view and avoids any possibility of undecidability in authorization specification. Research limitations/implications – The proposed model, in its present form, supports only read and browse facilities. It would later be extended for addition and update of documents. Moreover, the paper explains the model in a single user environment. It will be augmented later to consider simultaneous access from multiple users. Practical implications – The paper emphasizes the need for changing the present digital library ontology to a polyhierarchic structure to provide proper representation of knowledge related to the concepts covering interdisciplinary subject areas. Possible implementation strategies have also been mentioned. This design method can also be extended for other semantic web applications. Originality/value – This paper offers a new knowledge management strategy to cover the gradual proliferation of interdisciplinary subject areas along with a suitable access control model for a digital library ontology. This methodology can also be extended for other semantic web applications.

Download Full-text

Designing Information System for Private Network using RBAC, FGAC and Micro service Architecture

International Journal of Engineering and Advanced Technology - Regular Issue ◽

10.35940/ijeat.d2474.0410421 ◽

2021 ◽

Vol 10 (4) ◽

pp. 195-200

Author(s):

Arjit Mishra ◽

Surendra Gupta ◽

Swarnim Soni

Keyword(s):

Information System ◽

Access Control ◽

Web Applications ◽

Third Party ◽

Security Policies ◽

Role Based Access Control ◽

Service Architecture ◽

Authentication And Authorization ◽

Private Network ◽

Microservice Architecture

Microservice architecture is used in developing enterprise-level applications with the intent to modularise deployment of the application, this happens by creating an application as a collection of var-ious smaller applications known as microservices. An Information system is one such application that is ever-growing and therefore needs an architectural solution that addresses this issue. While microservice architecture addresses this issue by giving low coupling among microservices, future scalability of the system, and convenience in developing, deploying, and integrating new microservices.For all it‘s benefits, microservice architecture complicates the consistent implementation of security policies in this distributed system. Current industry standards are to use protocols that delegate the process of authentication and authorization to a third-party server, e.g. OAuth. Delegating these processes to be handled by the third party is not suitable for some web applications that are deployed in a less resourceful environment, e.g. organization with high internet downtime or an organization with high traffic of non working personnel e.g. people giving exams in college or workshops being held. This paper aims to research proposed solutions, existing frameworks, and technologies to implement security policies in an Information system which can be suitable for the above two scenarios.For this, we use authentication, Role-based access control (RBAC) on every request, and Fine-grained access control (FGAC) on the implementation method level, to achieve greater access control and flex-ibility of adding new microservice without changing whole security policies. We have also proposed a pre-registration condition in our system, which allows only certain people, whose data is already present in the system, to register themselves with the application. We also discuss the scenario where using a protocol like OAuth is not suitable. The solution is based on creating a central single entry point for authentication and implementing an RBAC policy that will filter every request based on access roles that the requesting user has. We further use FGAC on method level in microservices to enforce n even finer restrictions on resources to be accessed based on requirements. This solution will be implemented as apart of the Department Information System (DIS) in the following two-step:

Download Full-text