Automated Inference of Access Control Policies for Web Applications

2021 ◽

Vol 31 (05) ◽

pp. 655-675

Author(s):

Thanh-Nhan Luong ◽

Hanh-Phuc Nguyen ◽

Ninh-Thuan Truong

Keyword(s):

Access Control ◽

Programming Languages ◽

Web Application ◽

Web Applications ◽

Implementation Process ◽

Record Management ◽

Role Based Access Control ◽

Security Issue ◽

Control Policies ◽

Access Control Policies

The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers often use access control techniques to restrict some security breaches to software systems’ resources. The addition of authorization constraints to the role-based access control model increases the ability to express access rules in real-world problems. However, the complexity of combining components, libraries and programming languages during the implementation stage of web systems’ access control policies may arise potential flaws that make applications’ access control policies inconsistent with their specifications. In this paper, we introduce an approach to review the implementation of these models in web applications written by Java EE according to the MVC architecture under the support of the Spring Security framework. The approach can help developers in detecting flaws in the assignment implementation process of the models. First, the approach focuses on extracting the information about users and roles from the database of the web application. We then analyze policy configuration files to establish the access analysis tree of the application. Next, algorithms are introduced to validate the correctness of the implemented user-role and role-permission assignments in the application system. Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool is also experimented with a number of access violation scenarios in the medical record management system.

Download Full-text

On the Compliance of Access Control Policies in Web Applications

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering - Context-Aware Systems and Applications, and Nature of Computation and Communication ◽

10.1007/978-3-030-06152-4_6 ◽

2018 ◽

pp. 58-69

Author(s):

Thanh-Nhan Luong ◽

Dinh-Hieu Vo ◽

Van-Khanh To ◽

Ninh-Thuan Truong

Keyword(s):

Access Control ◽

Web Applications ◽

Control Policies ◽

Access Control Policies

Download Full-text

Towards model-driven development of access control policies for web applications

Proceedings of the Workshop on Model-Driven Security - MDsec '12 ◽

10.1145/2422498.2422502 ◽

2012 ◽

Cited By ~ 6

Author(s):

Marianne Busch ◽

Nora Koch ◽

Massimiliano Masi ◽

Rosario Pugliese ◽

Francesco Tiezzi

Keyword(s):

Access Control ◽

Web Applications ◽

Control Policies ◽

Model Driven Development ◽

Model Driven ◽

Access Control Policies

Download Full-text

Automated reverse engineering of role-based access control policies of web applications

Journal of Systems and Software ◽

10.1016/j.jss.2021.111109 ◽

2021 ◽

pp. 111109

Author(s):

Ha Thanh Le ◽

Lwin Khin Shar ◽

Domenico Bianculli ◽

Lionel Claude Briand ◽

Cu Duy Nguyen

Keyword(s):

Access Control ◽

Reverse Engineering ◽

Web Applications ◽

Role Based Access Control ◽

Control Policies ◽

Access Control Policies ◽

Role Based

Download Full-text

PEP4Django A Policy Enforcement Point for Python Web Applications

10.5753/wgid.2019.14021 ◽

2019 ◽

Author(s):

Carlos Eduardo Da Silva ◽

Welkson De Medeiros ◽

Silvio Sampaio

Keyword(s):

Access Control ◽

Web Application ◽

Web Applications ◽

Policy Enforcement ◽

Control Mechanisms ◽

Business Logic ◽

Control Policies ◽

Control Rules ◽

Access Control Policies ◽

Policy Enforcement Point

Traditionally, access control mechanisms have been hard-coded into application components. Such approach is error-prone, mixing business logic with access control concerns, and affecting the ﬂexibility of security policies, as is the case with IFRN SUAP Django-based system. The externalization of access control rules allows their decoupling from business logic, through the use of authorization servers where access control policies are stored and queried for computing access decisions. In this context, this paper presents an approach that allows a Django Web application to delegate access control decisions to an external authorization server. The approach has been integrated into an enterprise level system, which has been used for experimentation. The results obtained indicate a negligible overhead, while allowing the modiﬁcation of access control policies without interrupting the system.

Download Full-text