A Tool Supporting End-User Development of Access Control in Web Applications

2015 ◽  
Vol 25 (02) ◽  
pp. 307-331 ◽  
Author(s):  
Loredana Caruccio ◽  
Vincenzo Deufemia ◽  
Christopher D'Souza ◽  
Athula Ginige ◽  
Giuseppe Polese
Keyword(s):  
Access Control ◽  
Web Applications ◽  
User Study ◽  
Role Based Access Control ◽  
Control Mechanisms ◽  
Complex Task ◽  
End User ◽  
Access Control Policies ◽  
Application Logic ◽  
Role Based

End-user development (EUD) is drawing an increasing attention due to the necessity of users to frequently extend and personalize their applications. In particular, EUD in the context of Web (EUDWeb) is focusing on technologies capable of supporting development tasks that the end-user feels more complex. However, although the specification and implementation of access control is perceived as a particularly complex task, little efforts have been made to support it within current EUDWeb environments. Thus, in this paper we propose an EUDWeb framework and tool for the specification and the generation of web applications embedding access control mechanisms. We extended a previous mockup-based EUDWeb approach, by introducing visual assistance mechanisms enabling the specification of role-based access control policies, and their integration within the application logic. The usability of the proposed framework has been evaluated by means of a user study, in which we have shown that a group of heterogeneous end-users could proficiently use the proposed framework to develop meaningful web applications, some of which including access control functionalities.

scholarly journals Automated reverse engineering of role-based access control policies of web applications

2021 ◽  
pp. 111109
Author(s):  
Ha Thanh Le ◽  
Lwin Khin Shar ◽  
Domenico Bianculli ◽  
Lionel Claude Briand ◽  
Cu Duy Nguyen
Keyword(s):  
Access Control ◽  
Reverse Engineering ◽  
Web Applications ◽  
Role Based Access Control ◽  
Control Policies ◽  
Access Control Policies ◽  
Role Based

VeRA: Verifying RBAC and Authorization Constraints Models of Web Applications

2021 ◽  
Vol 31 (05) ◽  
pp. 655-675
Author(s):  
Thanh-Nhan Luong ◽  
Hanh-Phuc Nguyen ◽  
Ninh-Thuan Truong
Keyword(s):  
Access Control ◽  
Programming Languages ◽  
Web Application ◽  
Web Applications ◽  
Implementation Process ◽  
Record Management ◽  
Role Based Access Control ◽  
Security Issue ◽  
Control Policies ◽  
Access Control Policies

The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers often use access control techniques to restrict some security breaches to software systems’ resources. The addition of authorization constraints to the role-based access control model increases the ability to express access rules in real-world problems. However, the complexity of combining components, libraries and programming languages during the implementation stage of web systems’ access control policies may arise potential flaws that make applications’ access control policies inconsistent with their specifications. In this paper, we introduce an approach to review the implementation of these models in web applications written by Java EE according to the MVC architecture under the support of the Spring Security framework. The approach can help developers in detecting flaws in the assignment implementation process of the models. First, the approach focuses on extracting the information about users and roles from the database of the web application. We then analyze policy configuration files to establish the access analysis tree of the application. Next, algorithms are introduced to validate the correctness of the implemented user-role and role-permission assignments in the application system. Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool is also experimented with a number of access violation scenarios in the medical record management system.

Access Control in Mobile and Ubiquitous Environments

2010 ◽  
pp. 1481-1497
Author(s):  
Laurent Gomez ◽  
Annett Laube ◽  
Alessandro Sorniotti
Keyword(s):  
Access Control ◽  
User Authentication ◽  
Control Policy ◽  
Wireless Sensor ◽  
Role Based Access Control ◽  
Control Mechanisms ◽  
Mobile Environment ◽  
New Techniques ◽  
Role Based ◽  
Resource Constrained Devices

Access control is the process of granting permissions in accordance to an authorization policy. Mobile and ubiquitous environments challenge classical access control solutions like Role-Based Access Control. The use of context-information during policy definition and access control enforcement offers more adaptability and flexibility needed for these environments. When it comes to low-power devices, such as wireless sensor networks, access control enforcement is normally too heavy for such resource-constrained devices. Lightweight cryptography allows encrypting the data right from its production and the access is therefore intrinsically restricted. In addition, all access control mechanisms require an authenticated user. Traditionally, user authentication is performed by means of a combination of authentication factors, statically specified in the access control policy of the authorization service. Within ubiquitous and mobile environment, there is a clear need for a flexible user authentication using the available authentication factors. In this chapter, different new techniques to ensure access control are discussed and compared to the state-of-the-art.

Use of Purpose and Role Based Access Control Mechanisms to Protect Data Within RDBMS

2020 ◽  
Vol 8 (1) ◽  
pp. 82-91
Author(s):  
Suraj Krishna Patil ◽  
Sandipkumar Chandrakant Sagare ◽  
Alankar Shantaram Shelar
Keyword(s):  
Access Control ◽  
Privacy Preservation ◽  
Original Data ◽  
Sensitive Information ◽  
Role Based Access Control ◽  
Control Mechanisms ◽  
Sensitive Data ◽  
Access To Resources ◽  
Key Factor ◽  
Role Based

Privacy is the key factor to handle personal and sensitive data, which in large chunks, is stored by database management systems (DBMS). It provides tools and mechanisms to access and analyze data within it. Privacy preservation converts original data into some unknown form, thus protecting personal and sensitive information. Different access control mechanisms such as discretionary access control, mandatory access control is used in DBMS. However, they hardly consider purpose and role-based access control in DBMS, which incorporates policy specification and enforcement. The role based access control (RBAC) regulates the access to resources based on the roles of individual users. Purpose based access control (PuBAC) regulates the access to resources based on purpose for which data can be accessed. It regulates execution of queries based on purpose. The PuRBAC system uses the policies of both, i.e. PuBAC and RBAC, to enforce within RDBMS.

scholarly journals Role-Mining Optimization with Separation-of-Duty Constraints and Security Detections for Authorizations

2019 ◽  
Vol 11 (9) ◽  
pp. 201 ◽  
Author(s):  
Wei Sun ◽  
Shiwei Wei ◽  
Huaping Guo ◽  
Hongbing Liu
Keyword(s):  
Access Control ◽  
Optimization Approach ◽  
Role Based Access Control ◽  
Control Mechanisms ◽  
Engineering Technology ◽  
Role Mining ◽  
Novel Method ◽  
Separation Of Duty ◽  
Role Based ◽  
The Given

Role-based access control (RBAC), which has been regarded as one of the most popular access-control mechanisms, is featured by the separation-of-duty constraints, mutually exclusive constraints, and the least-privileges principle. Role mining, a bottom-up role-engineering technology, is an effective method to migrate from a non-RBAC system to an RBAC system. However, conventional role-mining approaches not only do not consider the separation of duty constraints, but also cannot ensure the security of a constructed RBAC system when the corresponding mined results violate the separation of a duty constraint and/or the least-privileges principle. To solve these problems, this paper proposes a novel method called role-mining optimization with separation-of-duty constraints and security detections for authorizations (RMO_SODSDA), which mainly includes two aspects. First, we present a role-mining-optimization approach for satisfying the separation of duty constraints, and we constructed different variants of mutually exclusive constraints to correctly implement the given separation of duty constraints based on unconstrained role mining. Second, to ensure the security of the constructed system and evaluate authorization performance, we reduced the authorization-query problem to a maximal-satisfiability problem. The experiments validate the effectiveness and efficiency of the proposed method.

Sign in / Sign up

Export Citation Format

Share Document