An Aspect-Oriented Approach to Declarative Access Control for Web Applications

  • Kung Chen
  • Ching-Wei Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3841)


This paper presents an aspect-oriented approach to declarative access control for Web applications that can not only realize fine-grained access control requirements but also accomplish it with very little runtime overhead. We devise a translation scheme that will automatically synthesize the desired aspect modules from access control rules in XML format and properly designed aspect templates. The generated aspect modules will then be compiled and integrated into the underlying application using standard aspect tools. At runtime, these aspect codes will be executed to enforce the required access control without any runtime interpretation overhead. Future changes of access control rules can also be effectively realized through these mechanisms without actual coding.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The Apache Struts Web Application Framework,
  2. 2.
    Beznosov, K., Deng, Y.: Engineering Application-level Access Control in Distributed Systems. In: Handbook of Software Engineering and Knowledge Engineering, vol. 1 (2002)Google Scholar
  3. 3.
    Chen, K., Huang, C.H.: A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 156–167. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    De Win, B., Piessens, F., Joosen, W., Verhanneman, T.: On the importance of the separation-of-concerns principle in secure software engineering. In: Workshop on the Application of Engineering Principles to System Security Design (2002)Google Scholar
  5. 5.
    De Win, B., Vanhaute, B., De Decker, B.: Security Through Aspect-Oriented Programming. In: Advances in Network and Distributed Systems Security, pp. 125–138. Kluwer Academic, Dordrecht (2001)Google Scholar
  6. 6.
    Fonseca, C.A.: Extending JAAS for Class Instance-Level Authorization. IBM DeveloperWorks (April 2002),
  7. 7.
    Gamma, Helm, Johnson, Vlissides: Design Patterns. Addison-Wesley, Reading (1995)Google Scholar
  8. 8.
    Goodwin, R., Goh, S.F., Wu, F.Y.: Instance-level access control for business-to-business electronic commerce. IBM System Journal 41(2) (2002)Google Scholar
  9. 9.
    Hilsdale, E., Hugunin, J.: Advice Weaving in AspectJ. In: Proceedings of the 3rd International Conference on Aspect-Oriented Software Development, Lancaster, pp. 26–35 (2004)Google Scholar
  10. 10.
    Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.-M., Irwin, J.: Aspect-Oriented Programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  11. 11.
    Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: Getting Started with AspectJ. Communications of ACM 44(10), 59–65 (2001)CrossRefGoogle Scholar
  12. 12.
    Lin, C.W.: An Aspect-Oriented Approach to Fine-Grained Access Control for Web Applications. M.S. Thesis, National Chengchi University (July 2005)Google Scholar
  13. 13.
    Open Web Application Security Project: The Top Ten Most Critical Web Application Security Vulnerabilities,
  14. 14.
    Probst, S., Kueng, J.: The Need for Declarative Security Mechanisms. In: IEEE Proceedings of the 30th EUROMICRO Conference (EUROMICRO 2004) (August 2004)Google Scholar
  15. 15.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  16. 16.
    Sun Microsystems, Java Authentication and Authorization Service (JAAS),
  17. 17.
    Sun Microsystem, Java 2 Platform, Enterprise Edition (J2EE),

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Kung Chen
    • 1
  • Ching-Wei Lin
    • 1
  1. 1.Department of Computer ScienceNational Chengchi UniversityWenshan, TaipeiTaiwan

Personalised recommendations