Access Control Configuration for J2EE Web Applications: A Formal Perspective

Business services are increasingly dependent upon Web applications. Whereas URL-based access control is one of the most prominent and pervasive security mechanism in use, failure to restrict URL accesses is still a major security risk. This paper aims at mitigating this risk by giving a formal semantics for access control constraints standardized in the J2EE Java Servlet Specification, arguably one of the most common framework for web applications. A decision engine and a comparison algorithm for change impact analysis of access control configurations are developed on top of this formal building block.

[1]  Paolina Centonze,et al.  Static analysis of role-based access control in J2EE applications , 2004, SOEN.

[2]  Jeremy Bryans,et al.  Reasoning about XACML policies using CSP , 2005, SWS '05.

[3]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[4]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[5]  Gail-Joon Ahn,et al.  Representing and Reasoning about Web Access Control Policies , 2010, 2010 IEEE 34th Annual Computer Software and Applications Conference.

[6]  Jorge Lobo,et al.  D-algebra for composing access control policy decisions , 2009, ASIACCS '09.

[7]  Jason Crampton,et al.  PTaCL: A Language for Attribute-Based Access Control in Open Systems , 2012, POST.

[8]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[9]  Elisa Bertino,et al.  Ws-AC: A Fine Grained Access Control System for Web Services , 2006, World Wide Web.

[10]  Gang Huang,et al.  Validating Access Control Configurations in J2EE Applications , 2008, CBSE.

[11]  D. B. Davis,et al.  Sun Microsystems Inc. , 1993 .

[12]  Flemming Nielson,et al.  The Logic of XACML - Extended , 2011, ArXiv.