A Generic XACML Based Declarative Authorization Scheme for Java

Architecture and Implementation
  • Rajeev Gupta
  • Manish Bhide
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)


Security and authorization play a very important role in the development, deployment and functioning of software systems. Java being the most popular platform for component-based software and systems, Java security is playing a key role in enterprise systems. The major drawback in the security support provided by J2EE and J2SE is the absence of a standard way to support instance level access control. JAAS does provide some help, but it is not without its share of problems. The newest standard related to security – XACML, provides a standard simple way to represent security policies. In the paper we propose a unique way to extend JAAS technology so that it can support class-instance level access control in a declarative manner. We then showcase how this extension can be molded in the XACML architecture, thereby providing an end-to-end standard based access control specification and implementation for J2SE and J2EE applications. The major advantage of our technique is that, being declarative it does not require any change to the security code when – either the security policies are changed or the security infrastructure is deployed in a new environment.


Access Control Security Policy Access Control Policy Java Application Authorization Policy 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Bhatti, R., Joshi, J.B., Bertino, E., Ghafoor, A.: Access Control in Dynamic XML-based Web-Services with X-RBAC. In: First International Conference on Web Services, Las Vegas (June 2003)Google Scholar
  2. 2.
    Fink, T., Koch, M., Oancea, C.: Specification and Enforcement of Access Control in Heterogeneous Distributed Applications. In: International Conference on Web Services (ICWS), Germany (September 2003)Google Scholar
  3. 3.
    Ungureanu, V., Misnky, N.H.: Unified Support for Heterogeneous Security Polices in Distributed Systems. In: 7th USENIX Security Symposium, Texas (January 1998)Google Scholar
  4. 4.
    OASIS extensible Access Control Markup language (XACML),
  5. 5.
  6. 6.
  7. 7.
    Vuong, N., Smith, G., Deng, Y.: Managing security policies in a distributed environment using eXtensible markup language. In: The 2001 ACM Symposium on Applied Computing, Las Vegas (March 2001)Google Scholar
  8. 8.
    Vayssiere, J.: Security and Meta Programming in Java. In: European Conference Object Oriented Programming - Workshop on Reflection and Meta-Level Architectures, France (May 2000)Google Scholar
  9. 9.
    Hauswirth, M., Kerer, C., Kurmanowytsch, R.: A Secure Exceution Framework for Java. In: 7th ACM Conference on Computer and Communications Security, Greece (November 2000)Google Scholar
  10. 10.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML based Modeling Language for Model-Driven Security. In: Proceedings of UML 2002 - Unified Modelling Language, 5th International Conference, Germany (September 2002)Google Scholar
  11. 11.
    Goodwin, R., Goh, S.F., Wu, F.Y.: Instance-level access control for business-to-business electronic commerce. IBM Systems Journal 41(2) (2002)Google Scholar
  12. 12.
    Chen, S., Wijesekera, D., Jajodia, S.: Incorporating Dynamic Constraints in the Flexible Authorization Framework. In: 9th European Symposium on Research in Computer Security (ESORICS 2004), France (September 2004)Google Scholar
  13. 13.
    Wallach, D., Balfanz, D., Dean, D., Felten, E.: Extensible Security Architectures for Java. In: 16th Symposium on Operating Systems Principles, France (October 1997)Google Scholar
  14. 14.
    XML Serialization of Java Objects (SYS-CON),
  15. 15.
    XStream: Java to XML Serialization and back again,
  16. 16.
    De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, Models, and Languages for Access Control. In: Workshop on Databases in Networked Information Systems, Japan (March 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Rajeev Gupta
    • 1
  • Manish Bhide
    • 1
  1. 1.IBM India Research Lab, Block 1, IIT DelhiIndia

Personalised recommendations