Access Control Configuration for J2EE Web Applications: A Formal Perspective
Business services are increasingly dependent upon Web applications. Whereas URL-based access control is one of the most prominent and pervasive security mechanism in use, failure to restrict URL accesses is still a major security risk. This paper aims at mitigating this risk by giving a formal semantics for access control constraints standardized in the J2EE Java Servlet Specification, arguably one of the most common framework for web applications. A decision engine and a comparison algorithm for change impact analysis of access control configurations are developed on top of this formal building block.
KeywordsAccess Control Formal Semantic Security Constraint Role Lattice Formal Perspective
Unable to display preview. Download preview PDF.
- 1.Coward, D., Yoshida, Y.: Java servlet specification, version 2.4. Technical report. Sun Microsystems, Inc. (November 2003)Google Scholar
- 3.Casalino, M.M., Thion, R., Hacid, M.S.: Access control configuration for j2ee web applications: A formal perspective (extended research report) (June 2012), http://liris.cnrs.fr/publis/?id=5601
- 6.Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of xacml - extended. CoRR abs/1110.3706 (2011)Google Scholar
- 8.Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: ICWS 2005, pp. 561–569. IEEE Computer Society, Washington, DC (2005)Google Scholar
- 9.Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)Google Scholar