Skip to main content
Book cover

International Conference on Database and Expert Systems Applications

DEXA 2022: Database and Expert Systems Applications pp 71–83Cite as

Extending Authorization Capabilities of Object Relational/Graph Mappers by Request Manipulation

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13427)

Abstract

Enforcing authorization for web applications must be done on the server side. Thus, either the backend or the persistent storage are suitable layers. From a developer’s point of view, we want to use a framework to automate creating persistent storage models and to map the entities between storage and backend. However, not all such frameworks offer sufficient authorization support. From a scientist’s perspective, we want to generally combine the filtering capabilities of the persistent storage with the advantages of using a mapper framework. Therefore, we propose to intercept the communication between the backend and the mapper framework and thus provide a central point of authorization. This offers the advantage that developers are unlikely to inadvertently introduce security vulnerabilities. The request is modified by adding a filter to return only authorized entities. Filtering directly in the storage saves performance and bandwidth besides reducing development and maintenance effort.

Keywords

  • Information security
  • Web application
  • Query rewriting
  • Object-graph mapper
  • Aspect-oriented programming

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-12426-6_6
  • Chapter length: 13 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-031-12426-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.

Notes

  1. 1.

    https://spring.io/projects/spring-security.

  2. 2.

    https://spring.io/projects/spring-boot.

  3. 3.

    https://neo4j.com/product/neo4j-graph-database/.

  4. 4.

    https://neo4j.com/developer/neo4j-ogm/.

  5. 5.

    https://neo4j.com/developer/cypher/.

  6. 6.

    https://www.oracle.com/java/technologies/persistence-jsp.html.

References

  1. Bogaerts, J., Decat, M., Lagaisse, B., Joosen, W.: Entity-based access control: supporting more expressive access control policies. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 291–300 (2015)

    Google Scholar 

  2. Dikanski, A., Steinegger, R., Abeck, S.: Identification and implementation of authentication and authorization patterns in the spring security framework. In: The Sixth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2012), pp. 14–30 (2012)

    Google Scholar 

  3. Jarman, J., McCart, J.A., Berndt, D., Ligatti, J.: A dynamic query-rewriting mechanism for role-based access control in databases. In: AMCIS 2008 Proceedings (2008)

    Google Scholar 

  4. Kanza, Y., Mendelzon, A.O., Miller, R.J., Zhang, Z.: Authorization-transparent access control for XML under the non-truman model. In: Ioannidis, Y., et al. (eds.) EDBT 2006. LNCS, vol. 3896, pp. 222–239. Springer, Heidelberg (2006). https://doi.org/10.1007/11687238_16

    CrossRef  Google Scholar 

  5. Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: An overview of AspectJ. In: Knudsen, J.L. (ed.) ECOOP 2001. LNCS, vol. 2072, pp. 327–354. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45337-7_18

    CrossRef  Google Scholar 

  6. Kiczales, G., et al.: Aspect-oriented programming. In: Akşit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0053381

    CrossRef  Google Scholar 

  7. Leão, F., Azevedo, L.G., Baião, F., Cappelli, C.: Enforcing authorization rules in information systems. In: IADIS International Conference Applied Computing (2011)

    Google Scholar 

  8. Lecomte, F.: strategy-spring-security-acl (2016). https://github.com/lordlothar99/strategy-spring-security-acl

  9. Mohamed, A., Auer, D., Hofer, D., Küng, J.: Authorization strategies and classification of access control models. In: Dang, T.K., Küng, J., Chung, T.M., Takizawa, M. (eds.) FDSE 2021. LNCS, vol. 13076, pp. 155–174. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-91387-8_11

    CrossRef  Google Scholar 

  10. Mohamed, A., Auer, D., Hofer, D., Küng, J.: Extended authorization policy for graph-structured data. SN Comput. Sci. 2(5), 1–18 (2021)

    CrossRef  Google Scholar 

  11. Moser, O., Rosenberg, F., Dustdar, S.: Non-intrusive monitoring and service adaptation for WS-BPEL. In: Proceedings of the 17th International Conference on World Wide Web, WWW 2008, pp. 815–824. Association for Computing Machinery, New York (2008). https://doi.org/10.1145/1367497.1367607

  12. Motro, A.: An access authorization model for relational databases based on algebraic manipulation of view definitions. In: Proceedings of Fifth International Conference on Data Engineering, pp. 339–340. IEEE Computer Society (1989)

    Google Scholar 

  13. Neo4j Inc: Tutorial - OGM Library (2021). https://neo4j.com/docs/ogm-manual/current/tutorial/. Accessed 21 Dec 2021

  14. Neo4j Inc: Fine-grained access control (2022). https://neo4j.com/docs/operations-manual/current/authentication-authorization/access-control/. Accessed 19 Jan 2022

  15. Razina, E., Janzen, D.S.: Effects of dependency injection on maintainability. In: Proceedings of the 11th IASTED International Conference on Software Engineering and Applications, Cambridge, MA, p. 7 (2007)

    Google Scholar 

  16. Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, SIGMOD 2004, pp. 551–562. Association for Computing Machinery, New York (2004). https://doi.org/10.1145/1007568.1007631

  17. Rosenthal, A., Sciore, E.: View security as the basis for data warehouse security. In: DMDW, p. 8 (2000)

    Google Scholar 

  18. Rosenthal, A., Sciore, E.: Administering permissions for distributed data: factoring and automated inference. In: Olivier, M.S., Spooner, D.L. (eds.) Database and Application Security XV. ITIFIP, vol. 87, pp. 91–104. Springer, Boston, MA (2002). https://doi.org/10.1007/978-0-387-35587-0_7

    CrossRef  MATH  Google Scholar 

  19. The Linux Foundation: Linux incident (2021). https://cse.umn.edu/cs/linux-incident. Accessed 21 Dec 2021

  20. Volz, R., Oberle, D., Staab, S., Motik, B.: Kaon server-a semantic web management system. In: WWW (Alternate Paper Tracks). Citeseer (2003)

    Google Scholar 

  21. Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43839-8

    CrossRef  Google Scholar 

Download references

Acknowledgements

The research reported in this paper has been partly supported by the LIT Secure and Correct Systems Lab funded by the State of Upper Austria. This work has been supported by the COMET-K2 Center of the Linz Center of Mechatronics (LCM) funded by the Austrian federal government and the federal state of Upper Austria.

Author information

Authors and Affiliations

  1. Institute for Application-Oriented Knowledge Processing (FAW), Faculty of Engineering and Natural Sciences (TNF), Johannes Kepler University (JKU) Linz, Linz, Austria

    Daniel Hofer, Stefan Nadschläger, Aya Mohamed & Josef Küng

  2. LIT Secure and Correct Systems Lab, Linz Institute of Technology (LIT), Johannes Kepler University (JKU) Linz, Linz, Austria

    Daniel Hofer, Aya Mohamed & Josef Küng

Authors
  1. Daniel Hofer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Nadschläger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aya Mohamed
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Josef Küng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Hofer .

Editor information

Editors and Affiliations

  1. University of Vienna, Vienna, Austria

    Prof. Dr. Christine Strauss

  2. University of Calabria, Rende, Italy

    Alfredo Cuzzocrea

  3. Johannes Kepler University of Linz, Linz, Austria

    Gabriele Kotsis

  4. Vienna University of Technology, Vienna, Austria

    Prof. Dr. A Min Tjoa

  5. Johannes Kepler University of Linz, Linz, Austria

    Ismail Khalil

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Hofer, D., Nadschläger, S., Mohamed, A., Küng, J. (2022). Extending Authorization Capabilities of Object Relational/Graph Mappers by Request Manipulation. In: Strauss, C., Cuzzocrea, A., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Database and Expert Systems Applications. DEXA 2022. Lecture Notes in Computer Science, vol 13427. Springer, Cham. https://doi.org/10.1007/978-3-031-12426-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-12426-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-12425-9

  • Online ISBN: 978-3-031-12426-6

  • eBook Packages: Computer ScienceComputer Science (R0)