Skip to main content
SpringerLink
Log in
Book cover

International Conference on Context-Aware Systems and Applications

International Conference on Nature of Computation and Communication

ICCASA 2018, ICTCC 2018: Context-Aware Systems and Applications, and Nature of Computation and Communication pp 58–69Cite as

On the Compliance of Access Control Policies in Web Applications

  • Conference paper
  • First Online:

  • 333 Accesses

Abstract

Model-View-Controller (MVC) architecture has commonly used in the implementation of web applications. These systems often incorporate security policies to ensure their reliability. Role-based access control (RBAC) is one of the effective solutions for reducing resources access violations of a system. This paper introduces an approach to check the compliance of a web application under MVC architecture with its RBAC specification. By investigating the system architecture and source code analysis, our approach conducts with extracting a list of resources access permissions, constructing a resources exploitation graph and organizing an access control matrix according to roles of a web application. The approach aims at checking two violation cases of web applications: (i) the presence of unspecified access rules and (ii) the absence of specified access rules. We illustrate the proposed approach by a case study of web based medical records management system.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Alalfi, M.H., Cordy, J.R., Dean, T.R.: A verification framework for access control in dynamic web applications. In: Proceedings of the 2nd Canadian Conference on Computer Science and Software Engineering, pp. 109–113. ACM (2009)

    Google Scholar 

  2. Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automated verification of role-based access control security models recovered from dynamic web applications. In: 2012 14th IEEE International Symposium on Web Systems Evolution (WSE), pp. 1–10. IEEE (2012)

    Google Scholar 

  3. Alalfi, M.H., Cordy, J.R., Dean, T.R.: Recovering role-based access control security models from dynamic web applications. In: Brambilla, M., Tokuda, T., Tolksdorf, R. (eds.) ICWE 2012. LNCS, vol. 7387, pp. 121–136. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31753-8_9

    Chapter  Google Scholar 

  4. Castelluccia, D., Mongiello, M., Ruta, M., Totaro, R.: WAVer: a model checking-based tool to verify web application design. Electron. Notes Theor. Comput. Sci. 157(1), 61–76 (2006)

    Article  Google Scholar 

  5. Choi, E.H., Watanabe, H.: Model checking class specifications for web applications. In: 12th Asia-Pacific Software Engineering Conference, APSEC 2005, p. 9. IEEE (2005)

    Google Scholar 

  6. Di Sciascio, E., Donini, F.M., Mongiello, M., Piscitelli, G.: AnWeb: a system for automatic support to web application verification. In: Proceedings of the 14th International Conference on Software Engineering and Knowledge Engineering, pp. 609–616. ACM (2002)

    Google Scholar 

  7. Di Sciascio, E., Donini, F.M., Mongiello, M., Totaro, R., Castelluccia, D.: Design verification of web applications using symbolic model checking. In: Lowe, D., Gaedke, M. (eds.) ICWE 2005. LNCS, vol. 3579, pp. 69–74. Springer, Heidelberg (2005). https://doi.org/10.1007/11531371_12

    Chapter  Google Scholar 

  8. Ferraiolo, D., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, Norwood (2003)

    MATH  Google Scholar 

  9. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)

    Article  Google Scholar 

  10. Garg, A., Singh, S.: A review on web application security vulnerabilities. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3, 222–226 (2013)

    Google Scholar 

  11. Idani, A.: Model driven secure web applications: the SeWAT platform. In: Proceedings of the Fifth European Conference on the Engineering of Computer-Based Systems, p. 3. ACM (2017)

    Google Scholar 

  12. Mead, N.R., Allen, J.H., Barnum, S., Ellison, R.J., McGraw, G.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional, Boston (2004)

    Google Scholar 

  13. Principe, M., Yoon, D.: A web application using MVC framework. In: Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE), p. 10 (2015)

    Google Scholar 

  14. Rubenstein, S.: Are your medical records at risk? Wall Street J. (2009)

    Google Scholar 

  15. Shklar, L., Rosen, R.: Web Application Architecture. Wiley, Hoboken (2009)

    Google Scholar 

  16. Touseef, P., Ashraf, M.A., Rafiq, A.: Analysis of risks against web applications in MVC. NFC IEFR J. Eng. Sci. Res. 5 (2017)

    Google Scholar 

Download references

Acknowledgments

This work has been supported by VNU University of Engineering and Technology under Project QG.16.32.

Author information

Authors and Affiliations

  1. VNU University of Engineering and Technology, 144 Xuan Thuy, Cau Giay, Hanoi, Vietnam

    Thanh-Nhan Luong, Dinh-Hieu Vo, Van-Khanh To & Ninh-Thuan Truong

  2. Department of Informatics, Hai Phong University of Medicine and Pharmacy, 72A Nguyen Binh Khiem, Ngo Quyen, Hai Phong, Vietnam

    Thanh-Nhan Luong

Authors
  1. Thanh-Nhan Luong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dinh-Hieu Vo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Van-Khanh To
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ninh-Thuan Truong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thanh-Nhan Luong .

Editor information

Editors and Affiliations

  1. Nguyen Tat Thanh University, Ho Chi Minh City, Vietnam

    Phan Cong Vinh

  2. Concordia University, Montreal, QC, Canada

    Vangalur Alagar

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Luong, TN., Vo, DH., To, VK., Truong, NT. (2019). On the Compliance of Access Control Policies in Web Applications. In: Cong Vinh, P., Alagar, V. (eds) Context-Aware Systems and Applications, and Nature of Computation and Communication. ICCASA ICTCC 2018 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 266. Springer, Cham. https://doi.org/10.1007/978-3-030-06152-4_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-06152-4_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-06151-7

  • Online ISBN: 978-3-030-06152-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation