Skip to main content
SpringerLink
Log in

Access Control Configuration for J2EE Web Applications: A Formal Perspective

  • Conference paper
Book cover Trust, Privacy and Security in Digital Business (TrustBus 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7449))

Abstract

Business services are increasingly dependent upon Web applications. Whereas URL-based access control is one of the most prominent and pervasive security mechanism in use, failure to restrict URL accesses is still a major security risk. This paper aims at mitigating this risk by giving a formal semantics for access control constraints standardized in the J2EE Java Servlet Specification, arguably one of the most common framework for web applications. A decision engine and a comparison algorithm for change impact analysis of access control configurations are developed on top of this formal building block.

This work is partially supported by the FP7-ICT-2009.1.4 Project PoSecCo (no. 257129, www.posecco.eu )

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Coward, D., Yoshida, Y.: Java servlet specification, version 2.4. Technical report. Sun Microsystems, Inc. (November 2003)

    Google Scholar 

  2. NIST, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0738

  3. Casalino, M.M., Thion, R., Hacid, M.S.: Access control configuration for j2ee web applications: A formal perspective (extended research report) (June 2012), http://liris.cnrs.fr/publis/?id=5601

  4. Bryans, J.: Reasoning about xacml policies using csp. In: SWS 2005, pp. 28–35. ACM, New York (2005)

    Chapter  Google Scholar 

  5. Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: WWW 2007, pp. 677–686. ACM, New York (2007)

    Chapter  Google Scholar 

  6. Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of xacml - extended. CoRR abs/1110.3706 (2011)

    Google Scholar 

  7. Bertino, E., Squicciarini, A.C., Paloscia, I., Martino, L.: Ws-ac: A fine grained access control system for web services. World Wide Web 9, 143–171 (2006)

    Article  Google Scholar 

  8. Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: ICWS 2005, pp. 561–569. IEEE Computer Society, Washington, DC (2005)

    Google Scholar 

  9. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)

    Google Scholar 

  10. Naumovich, G., Centonze, P.: Static analysis of role-based access control in j2ee applications. SIGSOFT Softw. Eng. Notes 29, 1–10 (2004)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SAP Research Sophia-Antipolis, 805 Avenue Dr M. Donat, 06250, Mougins, France

    Matteo Maria Casalino

  2. LIRIS CNRS UMR5205, Université de Lyon, Université C. Bernard Lyon 1, France

    Matteo Maria Casalino, Romuald Thion & Mohand-Said Hacid

Authors
  1. Matteo Maria Casalino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Romuald Thion
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohand-Said Hacid
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Karlstad University, Universitetsgatan 2, 65188, Karlstad, Sweden

    Simone Fischer-Hübner

  2. Department of Digital Systems, University of Piraeus, 80 Karaoli and Dimitriou Str, 18532, Piraeus, Greece

    Sokratis Katsikas

  3. Department of IT, Engineering and Environment, University of South Australia, Mawson Lakes Campus, 5001, Adelaide, SA, Australia

    Gerald Quirchmayr

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Casalino, M.M., Thion, R., Hacid, MS. (2012). Access Control Configuration for J2EE Web Applications: A Formal Perspective. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2012. Lecture Notes in Computer Science, vol 7449. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32287-7_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-32287-7_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32286-0

  • Online ISBN: 978-3-642-32287-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation