Towards an Access-Control Metamodel for Web Content Management Systems

  • Salvador Martínez
  • Joaquin Garcia-Alfaro
  • Frédéric Cuppens
  • Nora Cuppens-Boulahia
  • Jordi Cabot
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8295)


Out-of-the-box Web Content Management Systems (WCMSs) are the tool of choice for the development of millions of enterprise web sites but also the basis of many web applications that reuse WCMS for important tasks like user registration and authentication. This widespread use highlights the importance of their security, as WCMSs may manage sensitive information whose disclosure could lead to monetary and reputation losses. However, little attention has been brought to the analysis of how developers use the content protection mechanisms provided by WCMSs, in particular, Access-control (AC). Indeed, once configured, knowing if the AC policy provides the required protection is a complex task as the specificities of each WCMS need to be mastered. To tackle this problem, we propose here a metamodel tailored to the representation of WCMS AC policies, easing the analysis and manipulation tasks by abstracting from vendor-specific details.


Security Policy Reputation Loss Role Role Model Query Language Authenticate Role 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Drupal Open-source CMS (2013),
  2. 2.
    Alalfi, M.H., Cordy, J.R., Dean, T.R.: Recovering role-based access control security models from dynamic web applications. In: Brambilla, M., Tokuda, T., Tolksdorf, R. (eds.) ICWE 2012. LNCS, vol. 7387, pp. 121–136. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Gauthier, F., Letarte, D., Lavoie, T., Merlo, E.: Extraction and comprehension of moodle’s access control model: A case study. In: PST, pp. 44–51. IEEE (2011)Google Scholar
  4. 4.
    Martínez, S., Cosentino, V., Cabot, J., Cuppens, F.: Reverse Engineering of Database Security Policies. In: Decker, H., Lhotská, L., Link, S., Basl, J., Tjoa, A.M. (eds.) DEXA 2013, Part II. LNCS, vol. 8056, pp. 442–449. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Meike, M., Sametinger, J., Wiesauer, A.: Security in open source web content management systems. IEEE Security & Privacy 7(4), 44–51 (2009)CrossRefGoogle Scholar
  6. 6.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST model for role-based access control: towards a unified standard. In: Proceedings of the Fifth ACM Workshop on Role-Based Access Control, RBAC 2000, pp. 47–63. ACM (2000)Google Scholar
  7. 7.
    Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Communications Magazine 32(9), 40–48 (1994)CrossRefGoogle Scholar
  8. 8.
    Vaidyanathan, G., Mautone, S.: Security in dynamic web content management systems applications. Communications of the ACM 52(12), 121–125 (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Salvador Martínez
    • 1
  • Joaquin Garcia-Alfaro
    • 3
  • Frédéric Cuppens
    • 2
  • Nora Cuppens-Boulahia
    • 2
  • Jordi Cabot
    • 1
  1. 1.INRIA, LINAATLANMOD, & École des Mines de NantesNantesFrance
  2. 2.Télécom Bretagne; LUSSI DepartmentUniversité Européenne de BretagneFrance
  3. 3.RST Department, CNRS Samovar UMRTélécom SudParisEvryFrance

Personalised recommendations