A fine-grained access control system for XML documents

Web-based applications greatly increase information availability and ease of access, which is optimal for public information. The distribution and sharing of information via the Web that must be accessed in a selective way, such as electronic commerce transactions, require the definition and enforcement of security controls, ensuring that information will be accessible only to authorized entities. Different approaches have been proposed that address the problem of protecting information in a Web system. However, these approaches typically operate at the file-system level, independently of the data that have to be protected from unauthorized accesses. Part of this problem is due to the limitations of HTML, historically used to design Web documents. The extensible markup language (XML), a markup language promoted by the World Wide Web Consortium (W3C), is de facto the standard language for the exchange of information on the Internet and represents an important opportunity to provide fine-grained access control. We present an access control model to protect information distributed on the Web that, by exploiting XML's own capabilities, allows the definition and enforcement of access restrictions directly on the structure and content of the documents. We present a language for the specification of access restrictions, which uses standard notations and concepts, together with a description of a system architecture for access control enforcement based on existing technology. The result is a flexible and powerful security system offering a simple integration with current solutions.

[1]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[2]  Doug Lea,et al.  Concurrent Programming In Java , 1996 .

[3]  Alberto O. Mendelzon,et al.  Finding Regular Simple Paths in Graph Databases , 1989, SIAM J. Comput..

[4]  Ehud Gudes,et al.  A Model for Evaluation and Administration of Security in Object-Oriented Databases , 1994, IEEE Trans. Knowl. Data Eng..

[5]  Alin Deutsch,et al.  Containment and Integrity Constraints for XPath , 2001, KRDB.

[6]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[7]  Eric Thierry,et al.  A Quasi Optimal Bit-Vector Encoding of Tree Hierarchies. Application to Efficient Type Inclusion Tests , 2001, ECOOP.

[8]  C. M. Sperberg-McQueen,et al.  eXtensible Markup Language (XML) 1.0 (Second Edition) , 2000 .

[9]  Abraham Silberschatz,et al.  Database Systems Concepts , 1997 .

[10]  Elisa Bertino,et al.  An Authorization Model for a Distributed Hypertext System , 1996, IEEE Trans. Knowl. Data Eng..

[11]  Thomas J. Mowbray,et al.  CORBA design patterns , 1997 .

[12]  Douglas C. Schmidt An Object Behavioral Pattern for Concurrent Programming , 1999 .

[13]  Teresa F. Lunt,et al.  Access Control Policies for Database Systems , 1988, DBSec.

[14]  toExcel Extensible Stylesheet Language: Xsl Version 1.0 , 1999 .

[15]  Charles A. Shoniregun,et al.  Securing XML Documents , 2004, Australas. J. Inf. Syst..

[16]  Sushil Jajodia,et al.  Flexible support for multiple access control policies , 2001, TODS.

[17]  Steven J. DeRose,et al.  Xml linking language (xlink), version 1. 0 , 2000, WWW 2000.

[18]  Wenfei Fan,et al.  Path Constraints in Semistructured Databases , 2000, J. Comput. Syst. Sci..

[19]  Alexander Borgida,et al.  Efficient management of transitive relationships in large data and knowledge bases , 1989, SIGMOD '89.

[20]  Sharon C. Adler Previous version: , 1997 .

[21]  Arvind Malhotra,et al.  Xml schema part 2: datatypes , 1999 .

[22]  Simon S. Lam,et al.  Authorizations in Distributed Systems: A New Approach , 1993, J. Comput. Secur..

[23]  Michael Gertz,et al.  Flexible authentication of XML documents , 2001, CCS '01.

[24]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[25]  Anders Berglund,et al.  Extensible Stylesheet Language (XSL) Version 1.0 , 1998 .

[26]  Alban Gabillon,et al.  Regulating Access to XML documents , 2001, DBSec.

[27]  Eric Rescorla,et al.  The Secure HyperText Transfer Protocol , 1999, RFC.

[28]  Elisa Bertino,et al.  A model of authorization for next-generation database systems , 1991, TODS.

[29]  Xin Wang,et al.  XrML -- eXtensible rights Markup Language , 2002, XMLSEC '02.

[30]  Elisa Bertino,et al.  Specifying and enforcing access control policies for XML document sources , 2004, World Wide Web.

[31]  Tova Milo,et al.  Active Views for Electronic Commerce , 1999, VLDB.

[32]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[33]  Dan Brickley,et al.  Resource description framework (RDF) schema specification , 1998 .

[34]  Doug Lea,et al.  Concurrent programming in Java - design principles and patterns , 1996, Java series.

[35]  Klaus R. Dittrich,et al.  Complex Subjects, or: The Striving for Complexity is Ruling our World , 1993, DBSec.

[36]  B. F. Castro Buschmann, Frank; Meunier, Regine; Rohnert, Hans; Sommerlad, Peter; Stal, Michael. Pattern-oriented software architecture: a system of patterns, John Wiley & Sons Ltd, 1996 , 1997 .

[37]  Ernesto Damiani,et al.  Securing XML Documents , 2000, EDBT.

[38]  Susan B. Davidson,et al.  View Maintenance for Hierarchical Semistructured Data , 2000, DaWaK.

[39]  Elisa Bertino,et al.  Securing XML Documents with Author-X , 2001, IEEE Internet Comput..

[40]  Atwell R. Turquette,et al.  On the Many-Valued Logics , 1941 .

[41]  Roy Goldman,et al.  From Semistructured Data to XML: Migrating the Lore Data Model and Query Language , 1999, Markup Lang..

[42]  Stefano Paraboschi,et al.  Database Systems: Concepts, Languages & Architectures , 1999 .

[43]  Ernesto Damiani,et al.  Design and implementation of an access control processor for XML documents , 2000, Comput. Networks.

[44]  Dominic A. Orchard,et al.  XML Linking Language (XLink) Version 1. 0. World Wide Web Consortium, Proposed Recommendation PR - x , 2000 .

[45]  Gail-Joon Ahn,et al.  Role-based access control on the web , 2001, TSEC.

[46]  Stefano Paraboschi,et al.  Database Systems - Concepts, Languages and Architectures , 1999 .

[47]  Allen B. Tucker,et al.  Authentication, Access Control, and Intrusion Detection , 2004 .