Towards an Access-Control Metamodel for Web Content Management Systems

Out-of-the-box Web Content Management Systems (WCMSs) are the tool of choice for the development of millions of enterprise web sites but also the basis of many web applications that reuse WCMS for important tasks like user registration and authentication. This widespread use highlights the importance of their security, as WCMSs may manage sensitive information whose disclosure could lead to monetary and reputation losses. However, little attention has been brought to the analysis of how developers use the content protection mechanisms provided by WCMSs, in particular, Access-control (AC). Indeed, once configured, knowing if the AC policy provides the required protection is a complex task as the specificities of each WCMS need to be mastered. To tackle this problem, we propose here a metamodel tailored to the representation of WCMS AC policies, easing the analysis and manipulation tasks by abstracting from vendor-specific details.

[1]  Johannes Sametinger,et al.  Security in Open Source Web Content Management Systems , 2009, IEEE Security & Privacy.

[2]  Wenfei Fan,et al.  Keys with Upward Wildcards for XML , 2001, DEXA.

[3]  Nora Cuppens-Boulahia,et al.  Dynamic deployment of context-aware access control policies for constrained security devices , 2011, J. Syst. Softw..

[4]  Ganesh Vaidyanathan,et al.  Security in dynamic web content management systems applications , 2009, Commun. ACM.

[5]  James R. Cordy,et al.  Recovering Role-Based Access Control Security Models from Dynamic Web Applications , 2012, ICWE.

[6]  Thierry Lavoie,et al.  Extraction and comprehension of moodle's access control model: A case study , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[7]  San Murugesan Web engineering , 1999, LINK.

[8]  Frédéric Cuppens,et al.  Reverse Engineering of Database Security Policies , 2013, DEXA.

[9]  Nora Cuppens-Boulahia,et al.  Analysis of Policy Anomalies on Distributed Network Security Setups , 2006, ESORICS.

[10]  Nora Cuppens-Boulahia,et al.  Semantic context aware security policy deployment , 2009, ASIACCS '09.

[11]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[12]  Joaquín García,et al.  A Practical Implementation Attack on Weak Pseudorandom Number Generator Designs for EPC Gen2 Tags , 2011, Wirel. Pers. Commun..

[13]  Nora Cuppens-Boulahia,et al.  Management of Exceptions on Access Control Policies , 2007, SEC.

[14]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.