ABSTRACT
The several models and solutions were introduced and implemented to address privacy and security issues during past decades. However, the most advanced role-based access control models support coarse-grained access control and widely used open source frameworks cannot provide efficient and effective fine-grained solution. We introduce a general fine-grained access control model and provide an implementation by extending Spring Security framework. Our model is tightly coupled with database access control at row-level and is separated from business functions of the application.
- A. E. Abdallah and E. J. Khayat. A formal model for parameterized role-based access control. In Formal Aspects in Security and Trust: 2nd IFIP TC1 WG1.7 Workshop on Formal Aspects in Security and Trust (FAST), an event of the 18th IFIP World Computer Congress, August 22-27, 2004, Toulouse, France, pages 233--246, 2004.Google Scholar
- G.-J. Ahn and H. Hu. Towards realizing a formal rbac model in real systems. In Proc. the 12th ACM ACMAT '07, p. 215--224, 2007. ACM. Google ScholarDigital Library
- http://shiro.apache.org/.Google Scholar
- A. Armando, R. Carbone, E. G. Chekole, and S. Ranise. Attribute based access control for apis in spring security. In Proc. 19th ACM SACMAT '14, p. 85--88, 2014. ACM. Google ScholarDigital Library
- J. Chae. Towards modal logic formalization of role-based access control with object classes. In Proc. the 27th IFIP WG 6.1 Intnl. Conf. on Formal Techniques for Networked and Distributed Systems, FORTE '07, p. 97--111, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
- J. H. Chae and N. Shiri. Formalization of rbac policy with object class hierarchy. In Proc. ISPEC07, pages 162--176, Berlin, Heidelberg, 2007. Springer-Verlag. Google ScholarDigital Library
- A. Cuzzocrea, M.-S. Hacid, and N. Grillo. Effectively and efficiently selecting access control rules on materialized views over relational databases. In Proc. IDEAS '10 p. 225--235, 2010. ACM. Google ScholarDigital Library
- M. Finifter, A. Mettler, N. Sastry, and D. Wagner. Verifiable functional purity in java. In Proc. ACM CCS '08, p. 161--174, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- A. Y. Halevy. Theory of answering queries using views. SIGMOD Rec., 29(4):40--47, Dec. 2000. Google ScholarDigital Library
- Y. Han, X. Chun-Gen, Z. Gong-Xuan, and L. Feng-Yu. Constraint specification for object model of access control based on role. SIGSOFT Softw. Eng. Notes, 25(2):60--63, Mar. 2000. Google ScholarDigital Library
- G. T. Leavens, A. L. Baker, and C. Ruby. Preliminary design of jml: A behavioral interface specification language for java. SIGSOFT Softw. Eng Notes, 31(3):1--38, 2006. Google ScholarDigital Library
- T. Lodderstedt, D. A. Basin, and J. Doser. Secureuml: A uml-based modeling language for model-driven security. In Proc. UML '02, p. 426--441, London, UK, UK, 2002. Springer-Verlag. Google ScholarDigital Library
- T. Mustafa, M. Drouineaud, and K. Sohr. Towards formal specification and verification of a role-based authorization engine using jml. In Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, SESS '10, p. 50--57, ACM. Google ScholarDigital Library
- G. Naumovich and P. Centonze. Static analysis of role-based access control in j2ee applications. SIGSOFT Softw. Eng. Notes, 29(5):1--10, Sept. 2004. Google ScholarDigital Library
- American national standards institute inc. role based access control. ANSI-INCITS 359--2004, 2004. Accessed April 4, 2010.Google Scholar
- http://www.omg.org/spec/OCL/.Google Scholar
- L. E. Olson, C A. Gunter, W. R. Cook, and M. Winslett. Implementing reflective access control in sql. In Proc. 23rd Annual IFIP WG 11.3 Working Conf. on Data and Applications Security XXIII, pages 17--32, Berlin, Heidelberg, 2009. Springer-Verlag. Google ScholarDigital Library
- R. Pandey and B. Hashii. Providing fine-grained access control for java programs. In Proc. ECOOP '99, p. 449-- 473, London, UK, UK, 1999. Springer-Verlag. Google ScholarDigital Library
- S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. In Proc. SIGMOD '04, p. 551--562ACM. Google ScholarDigital Library
- E. Rosenthal, A. Sciore. Abstracting and refining authorization in sql. In Proceedings of VLDB 2004 Workshop, pages 184--162, 2004.Google ScholarCross Ref
- R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38--47, Feb. 1996. Google ScholarDigital Library
- D. Servos and S. L. Osborn. Current research and open problems in attribute-based access control. ACM Comput. Surv., 49(4):65:1--65:45, Jan. 2017. Google ScholarDigital Library
- http://projects.spring.io/spring-data/.Google Scholar
- https://docs.spring.io/spring/docs/current/spring-framework-reference/html/expressions.html.Google Scholar
- http://projects.spring.io/spring-security/.Google Scholar
- http://www.uml.org/.Google Scholar
- The virtual private database in oracle9ir2: An oracle technical white paper. http://otn.oracle.com/deploy/-security/oracle9ir2/pdf/vpd9ir2twp.pdf.Google Scholar
- J. Zarnett, M. Tripunitara, and P. Lam. Role-based access control (rbac) in java via proxy objects using annotations. In Proc. ACMAT '10, p. 79--88, 2010. ACM. Google ScholarDigital Library
Recommendations
Towards a Flexible Fine-Grained Access Control System for Modern Cloud Applications
CLOUD '14: Proceedings of the 2014 IEEE International Conference on Cloud ComputingThe fast growth of cloud applications highlights the requirement of appropriate security controls to restrict access to shared resources limited to authorized users. Existing authorization systems are not primarily designed for cloud environments and do ...
Towards fine-grained access control on browser extensions
ISPEC'12: Proceedings of the 8th international conference on Information Security Practice and ExperienceWe propose a practical and fine-grained browser extension access control framework, which regulates the misbehavior of JSEs with malicious intent at run time by means of restricting the access to resources, in order to prevent the malicious JSEs from ...
Comments