Modelling Security Policies in Hypermedia and Web- Based Applications

  • Paloma Díaz
  • Ignacio Aedo
  • Fivos Panetsos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2016)


As hyperdocuments grow and offer more and more contents and services, some of them become more sensitive and should only be accessed by very specific users. Moreover, hypermedia applications can offer different views and manipulation abilities to different users, depending on the role they play in a particular context. Such security requirements have to be integrated into the development process in such a way that what is understood by a proper and safe manipulation of a hyperdocument has to be analysed, specified and implemented using the appropriate abstractions. In this paper we present a high-level security model applied to the modelling of security policies using components and services belonging to the hypermedia domain. The model uses negative ACLs and context-dependent user permissions for the specification of security rules. An example of its use for the design and operation of a web-based magazine is also described.


Security Policy Security Requirement Security Model Information Item Security Manager 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Commercial Computer Security Centre Security Functionality Manual, Department of Trade and Industry, V21-Version 3.0. February (1989)Google Scholar
  2. 2.
    Sandhu, R. and Jajodia, S.: Integrity principles and mechanisms in Database management systems. Computer&Security, 10, (1991) 413–427.Google Scholar
  3. 3.
    Sandhu, R.S.: Lattice-Based Access Control Models. IEEE Computer, November, (1993) 9–19.Google Scholar
  4. 4.
    Brinkley, D.L. and Schell, R.R.: Concepts and Terminology for Computer Security. In “Information Security. A collection of essays” Ed. Abrams. M.D., Jajodia, S. and Podell, H.J. IEEE Computer Society Press (1995) 40–97.Google Scholar
  5. 5.
    Shandu, R.S., Coyne, E.J., Feinstein, H.L. and Youman, C.E.: Role-Based Access Control Models. IEEE Computer, 29(2), February (1996) 38–47.Google Scholar
  6. 6.
    Murugesan, S., Deshpande, Y., Hansen, S. and Ginige, A.: Web Engineering: A New Discipline for Development of web-based Systems. Proceedings of the First ICSE Workshop on Web-Engineering (, (1999)
  7. 7.
    Lowe, D. and Hall, W. Hypermedia and the web: an engineering approach. John Wiley & Sons. (1999)Google Scholar
  8. 8.
    Fernández, E. B., Krishnakumar, R.N., Larrondo-Petrie, M.M. and Xu, Y.: High-level Security Issues in Multimedia/Hypertext Systems. Communications and Multimedia Security II. P. Horster (ed.), Chapman & Hall. (1996) 13–24.Google Scholar
  9. 9.
    Dìaz, P., Aedo, I., Panetsos, F. and Ribagorda, A.: A security model for the design of hypermedia systems. Proc. of the 14th Information Security Conference SEC98. Vienna and Budapest. (1998) 251–260.Google Scholar
  10. 10.
    Denning, D.E.: A Lattice Model of Secure Information Flow. Communications of the ACM, 19 (5) (1976) 236–243.zbMATHMathSciNetGoogle Scholar
  11. 11.
    Clark, D.D. and Wilson, D.R.: A Comparison of Commercial an Military Computer Security Policies. Proceedings of the Symposium on Security and Privacy (1987) 184–194.Google Scholar
  12. 12.
    Bertino, E., Jajodia, S. and Samarati, P.: A Flexible Authorization Model for Relational Data Management Systems. ACM Trans. of Information Systems, 17 (2), April (1999) 101–140.CrossRefGoogle Scholar
  13. 13.
    Bell, D.E. and LaPadula, L.J.: “Secure Computer Systems: Mathematical Foundations and Model”. Mitre Corp. Report No. M74-244, Bedford, Mass (1975)Google Scholar
  14. 14.
    Biba, K.J.: “Integrity Considerations for Secure Computer Systems”. Mitre Corp. Report TR-3153, Bedford, Mass (1977)Google Scholar
  15. 15.
    Thuraisingham, B.: Multilevel security for information retrieval systems-II. Information and Management, 28, (1995) 49–61.CrossRefGoogle Scholar
  16. 16.
    Dìaz, P., Aedo, I. and Panetsos, F. Modeling the dynamic behavior of hypermedia applications. IEEE Transactions on Software Engineering (forthcoming).Google Scholar
  17. 17.
    Graham, G.S. and Denning, P.:Protection-Principles and Practice, Proceedings Spring Join Comp. Conference, 40, AFIPS Press, Montvale, N.J. (1972) 417–429.Google Scholar
  18. 18.
    Dìaz, P., Aedo, I. and Panetsos, F.: Definition of integrity policies for web-based applications. In “Integrity and Internal Control in Information Systems Strategic Views on the Need for Control”. Eds. Margaret E. van Biene-Hershey and Leon A.M. Strous. Kluwer Academic Publishers. (2000) 85–98.Google Scholar
  19. 19.
    Furht, B.: Multimedia Systems: an overwiev. IEEE Multimedia, 1(1), 47–59, 1994.CrossRefGoogle Scholar
  20. 20.
    Nielsen, J.: Multimedia and hypertext: the Internet and beyond. Academic Press Professional, Boston, (1995)Google Scholar
  21. 21.
    Tompa, F.: A Data Model for Flexible Hypertext Database Systems ACM Transactions on Information Systems, 7 (1).(1989) 85–100.CrossRefGoogle Scholar
  22. 22.
    Halasz, F. G. and Schwartz, M.: The Dexter Hypertext Reference Model. Proc. of World Conference of Hypertext, (1990) 95–133.Google Scholar
  23. 23.
    Hardman, L., Bulterman, D. and Van Rossum, G.: The Amsterdam Hypermedia Model: Extending Hypertext to support Real Multimedia. Hypermedia 5 (1) (1993) 47–69.Google Scholar
  24. 24.
    Campbell, B. and Goodman, J. M.: HAM: A general purpose hypertext abstract Machine’ Communications of the ACM 31 (7) (1988) 856–861.CrossRefGoogle Scholar
  25. 25.
    Stotts P. D. and Furuta R.: Petri-Net-Based Hypertext: Document Structure with Browsing Semantics. ACM Transactions on Office Information Systems, 7(1). (1989).Google Scholar
  26. 26.
    Lange, D B ‘A Formal Model of Hypertext’ Proceedings of the Hypertext Standardization Workshop, Judi Moline, Dan Beningni and Jean Baronas Eds. (1990) 145–166.Google Scholar
  27. 27.
    Merkl, D. and Pernul, G.: Security for next generation hypertext systems. Hypermedia. 6 (1) (1994) 1–19.Google Scholar
  28. 28.
    Samarati, P., Bertino, E. and Jajodia, S.: An Authorization Model for a Distributed Hypertext System. IEEE Transactions on Knowledge and Data Engineering, 8 (4), (1996) 555–562.CrossRefGoogle Scholar
  29. 29.
    Dìaz, P., Aedo, I. and Panetsos, F.: Labyrinth, an abstract model for hypermedia applications. Description of its static components. Information Systems, 22 (8) (1997) 447–464.CrossRefGoogle Scholar
  30. 30.
    Dìaz, P., Aedo, I. and Panetsos, F. A methodological framework for the conceptual design of hypermedia systems. Proc. of the Fifth Conference on “Hypertexts and Hypermedia: Products, Tools and Methods” (H2PTM 99). Paris, September, (1999) 213–228.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Paloma Díaz
    • 1
  • Ignacio Aedo
    • 2
  • Fivos Panetsos
    • 2
  1. 1.Laboratorio DEI. Departamento de InformáticaUniversidad Carlos III de MadridLeganésSpain
  2. 2.Departmento de Matemática Aplicada. Facultad de BiologíaUniversidad Complutense de MadridMadridSpain

Personalised recommendations