A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications

  • Kung Chen
  • Chih-Mao Huang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3439)


Access control is a system-wide concern that has both a generic nature and an application dependent characteristic. It is generic as many functions must be protected with restricted access, yet the rule to grant a request is highly dependent on the application state. Hence it is common to see the code for implementing access control scattered over the system and tangled with the functional code, making the system difficult to maintain. This paper addresses this issue for Web applications by presenting a practical access control framework based on aspect-oriented programming (AOP). Our approach accommodates a wide range of access control requirements of different granularity. AOP supports the modular implementation of access control while still enables the code to get a hold of the application state. Moreover, framework technology offers a balanced view between reuse and customization. As a result, our framework is able to enforce fine-grained access control for Web applications in a highly adaptable manner.


Access Control Access Control Modeling Session Object Constraint Expression Access Control Rule 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The Apache Struts Web Application Framework,
  2. 2.
    Chandramouli, R.: A Framework for Multiple Authorization Types in a Healthcare Application System. In: 17th Annual Computer Security Applications Conference (December 2001)Google Scholar
  3. 3.
    De Win, B., Piessens, F., Joosen, W., Verhanneman, T.: On the importance of the separation-of-concerns principle in secure software engineering. In: Workshop on the Application of Engineering Principles to System Security Design (2002)Google Scholar
  4. 4.
    De Win, B., Vanhaute, B., De Decker, B.: Building Frameworks in AspectJ. In: ECOOP 2001. Workshop on Advanced Separation of Concerns, pp. 1–6 (2001)Google Scholar
  5. 5.
    De Win, B., Vanhaute, B., De Decker, B.: Security Through Aspect-Oriented Programming. In: Advances in Network and Distributed Systems Security, pp. 125–138. Kluwer Academic, Dordrecht (2001)Google Scholar
  6. 6.
    Hanenberg, S., Schmidmeier, A.: Idioms for Building Software Frameworks in AspectJ. In: 2nd AOSD Workshop on Aspects, Components, and Patterns for Infrastructure Software (ACP4IS), Boston, MA, March 17 (2003)Google Scholar
  7. 7.
    Gamma, Helm, Johnson, Vlissides: Design Patterns. Addison-Wesley, Reading (1995)Google Scholar
  8. 8.
    Georg, G., Ray, I., France, R.: Using Aspects to Design a Secure System. In: Proc. of the 8th IEEE Int’l Conf. on Engineering of Complex Computer Systems (December 2002)Google Scholar
  9. 9.
    Georgiadis, C.K., Mavridis, I., Pangalos, G., Thomas, R.K.: Flexible Team-based Access Control Using Contexts. In: Sixth ACM Symposium on Access Control Models and Technologies (SACMAT 2001), Chantilly, VA, USA (May 2001)Google Scholar
  10. 10.
    Giuri, L., Iglio, P.: Role Templates for Content-Based Access Control. In: Proceedings, 2nd ACM Workshop on Role-Based Access Control, Fairfax, VA, October 28–29, pp. 153–159 (1997)Google Scholar
  11. 11.
    Goodwin, R., Goh, S.F., Wu, F.Y.: Instance-level access control for business-to-business electronic commerce. IBM System Journal 41(2) (2002)Google Scholar
  12. 12.
    Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.-M., Irwin, J.: Aspect-oriented programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: Getting Started with AspectJ. Communications of ACM 44(10), 59–65 (2001)CrossRefGoogle Scholar
  14. 14.
    Kouadri Mostéfaoui, G., Brézillon, P.: A generic framework for context-based distributed authorizations. In: Blackburn, P., Ghidini, C., Turner, R.M., Giunchiglia, F. (eds.) CONTEXT 2003. LNCS, vol. 2680, pp. 204–217. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  15. 15.
    Open Web Application Security Project: The Top Ten Most Critical Web Application Security Vulnerabilities,
  16. 16.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)Google Scholar
  17. 17.
    Sun Microsystems, Java Authentication and Authorization Service (JAAS),
  18. 18.
    Sun Microsystems, JavaServer Pages Technology (JSP),
  19. 19.
    Sun Microsystems, Java Servlet Technology,
  20. 20.
    Tzelepi1, S.K., Koukopoulos, D.K., Pangalos, G.: A flexible Content and Context-based Access Control Model for Multimedia Medical Image Database Systems. In: ACM SIGMM Electronic Proceedings (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Kung Chen
    • 1
  • Chih-Mao Huang
    • 1
  1. 1.Department of Computer ScienceNational Chengchi UniversityWenshan, TaipeiTaiwan

Personalised recommendations