Access Control Configuration for J2EE Web Applications: A Formal Perspective

  • Matteo Maria Casalino
  • Romuald Thion
  • Mohand-Said Hacid
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7449)


Business services are increasingly dependent upon Web applications. Whereas URL-based access control is one of the most prominent and pervasive security mechanism in use, failure to restrict URL accesses is still a major security risk. This paper aims at mitigating this risk by giving a formal semantics for access control constraints standardized in the J2EE Java Servlet Specification, arguably one of the most common framework for web applications. A decision engine and a comparison algorithm for change impact analysis of access control configurations are developed on top of this formal building block.


Access Control Formal Semantic Security Constraint Role Lattice Formal Perspective 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Coward, D., Yoshida, Y.: Java servlet specification, version 2.4. Technical report. Sun Microsystems, Inc. (November 2003)Google Scholar
  2. 2.
  3. 3.
    Casalino, M.M., Thion, R., Hacid, M.S.: Access control configuration for j2ee web applications: A formal perspective (extended research report) (June 2012),
  4. 4.
    Bryans, J.: Reasoning about xacml policies using csp. In: SWS 2005, pp. 28–35. ACM, New York (2005)CrossRefGoogle Scholar
  5. 5.
    Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: WWW 2007, pp. 677–686. ACM, New York (2007)CrossRefGoogle Scholar
  6. 6.
    Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of xacml - extended. CoRR abs/1110.3706 (2011)Google Scholar
  7. 7.
    Bertino, E., Squicciarini, A.C., Paloscia, I., Martino, L.: Ws-ac: A fine grained access control system for web services. World Wide Web 9, 143–171 (2006)CrossRefGoogle Scholar
  8. 8.
    Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: ICWS 2005, pp. 561–569. IEEE Computer Society, Washington, DC (2005)Google Scholar
  9. 9.
    Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)Google Scholar
  10. 10.
    Naumovich, G., Centonze, P.: Static analysis of role-based access control in j2ee applications. SIGSOFT Softw. Eng. Notes 29, 1–10 (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Matteo Maria Casalino
    • 1
    • 2
  • Romuald Thion
    • 2
  • Mohand-Said Hacid
    • 2
  1. 1.SAP Research Sophia-AntipolisMouginsFrance
  2. 2.LIRIS CNRS UMR5205Université de Lyon, Université C. Bernard Lyon 1France

Personalised recommendations