Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Object Security Attributes: Enabling Application-Specific Access Control in Middleware

  • Conference paper
  • First Online:
On the Move to Meaningful Internet Systems 2002: CoopIS, DOA, and ODBASE (OTM 2002)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2519))

Abstract

This paper makes two primary contributions toward establishing support for application-specific factors in middleware security mechanisms. First, it develops a simple classification framework for reasoning about the architecture of the security mechanisms in distributed applications that follow the decision-enforcement paradigm of the reference monitor. It uses the framework to demonstrate that the existing solutions lack satisfying tradeoffs for a wide range of those applications that require application-specific factors to be used in security decisions while mediating access requests. Second, by introducing attribute function in addition to decision and enforcement functions, it proposes a novel scheme for clean separation among suppliers of middleware security, security decision logic, and application-logic, while supporting application-specific protection policies. To illustrate the scheme on a concrete example, we describe its mapping into CORBA Security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. OSI, “Information Technology — Open Systems Interconnection — Security frameworks in open systems — Part 3: Access control,” ISO/IEC JTC1 10181-3, 1994.

    Google Scholar 

  2. G. Karjoth, “The Authorization Service of Tivoli Policy Director,” presented at Annual Computer Security Applications Conference (ACSAC), New Orleans, Louisiana, 2001.

    Google Scholar 

  3. Netegrity, “SiteMinder Concepts Guide,” Netegrity, Waltham, MA 2000.

    Google Scholar 

  4. Entegrity, “Entegrity AssureAccess™-Technical Overview,” Entegrity Solutions, September 2000.

    Google Scholar 

  5. Securant, “Unified Access Management: A Model For Integrated Web Security,” Securant Technologies, June 25 1999, http://www.cleartrust.com.

  6. P. A. Bonatti, E. Damiani, S. D. C. d. Vimercati, and P. Samarati, “A Component-based Architecture for Secure Data Publication,” presented at ACSAC, New Orleans, Louisiana, 2001.

    Google Scholar 

  7. OMG, “CORBAservices: Common Object Services Specification, Security Service Specification v1.7,” document formal/01-03-08 2001, http://www.omg.org/cgi-bin/doc?formal/01-03-08.

  8. C. Lai, L. Gong, L. Koved, A. Nadalin, and R. Schemers, “User Authentication And Authorization In The Java Platform,” presented at ACSAC, Phoenix, Arizona, USA, 1999, http://java.sun.com/security/jaas/doc/acsac.html.

  9. Sun, “Java Authentication and Authorization Service (JAAS),” Sun Microsystems, 2001.

    Google Scholar 

  10. T. Ryutov and C. Neuman, “Access Control Framework for Distributed Applications (Work in Progress),” IETF, Internet Draft draft-ietf-cat-acc-cntrl-frmw-03, March 9 2000.

    Google Scholar 

  11. T. Ryutov and C. Neuman, “Representation and Evaluation of Security Policies for Distributed System Services,” presented at DARPA Information Servability Conference Exposition, Healton Head, South Carolina, 2000.

    Google Scholar 

  12. XACML-TC, “OASIS eXtensible Access Control Markup Language (XACML), Committee Draft,” OASIS May 9 2002, http://www.oasis-open.org/committees/xacml/docs/.

  13. M. Kudo and S. Hada, “XML Document Security Based on Provisional Authorization,” presented at ACM Conference on Computer and Communications Security, Athenes, Greece, 2000.

    Google Scholar 

  14. B. Hailpern and H. Ossher, “Extending Objects to Support Multiple Interfaces and Access Control,” IEEE Transactions on Software Engineering, vol. 16, pp. 1247–1257, 1990.

    Article  Google Scholar 

  15. J. Barkley, “Implementing Role-based Access Control Using Object Technology,” presented at The First ACM Workshop on Role-Based Access Control (RBAC), Fairfax, Virginia, USA, 1995.

    Google Scholar 

  16. R. Filman and T. Linden, “SafeBots: a Paradigm for Software Security Controls,” presented at New Security Paradigms Workshop, Lake Arrowhead, CA USA, 1996.

    Google Scholar 

  17. T. Riechmann and F. J. Hauck, “Meta Objects for Access Control: A Formal Model for Role-based Principals,” presented at New Security Paradigms Workshop, Charlottesville, VA USA, 1998.

    Google Scholar 

  18. IETF, “RFC 1510, The Kerberos Network Authentication Service, V5,” Internet Engineering Task Force, 1993.

    Google Scholar 

  19. T. Parker and D. Pinkas, “SESAME V4-Overview,” SESAME, December 1995.

    Google Scholar 

  20. OMG, “Resource Access Decision Facility,” OMG, document number: formal/2001-04-01, August 2001, http://www.omg.org/cgi-bin/doc?formal/2001-04-01.

  21. K. Beznosov, Y. Deng, B. Blakley, C. Burt, and J. Barkley, “A Resource Access Decision Service for CORBA-based Distributed Systems,” presented at ACSAC, Phoenix, Arizona, USA, 1999.

    Google Scholar 

  22. HP, “HP Adds Value to DCE Security Framework with Praesidium Authorization Server,” in DCE Application Development Trends Magazine, 1996.

    Google Scholar 

  23. R. Simon and M. E. Zurko, “Adage: An Architecture for Distributed Authorization,” OSF Research Institute, Cambridge 1997, http://www.osf.org/www/adage/adage-arch-draft/adage-arch-draft.ps.

    Google Scholar 

  24. T. Ryutov and C. Neuman, “Generic Authorization and Access control Application Program Interface: C-bindings,” IETF, draft-ietf-cat-gaa-bind-03, March 9 2000.

    Google Scholar 

  25. B. Hartman, D. J. Flinn, and K. Beznosov, Enterprise SecurityWith EJB and CORBA. New York: John Wiley & Sons, Inc., 2001.

    Google Scholar 

  26. Encommerce, “getAccess Design and Administration Guide,” Encommerce, September 20 1999, http://www.encommerce.com.

  27. D. C. Schmidt, “Overview of CORBA,” 2001, http://www.cs.wustl.edu/~schmidt/corbaoverview.html.

  28. D. C. Schmidt and S. Vinoski, “Object Adapters: Concepts and Terminology,” in SIGS C++ Report, vol. 9, 1997.

    Google Scholar 

  29. OMG, “Specification of the Portable Object Adapter (POA),” OMG document # formal/01-09-48, 2001.

    Google Scholar 

  30. U. Lang, D. Gollmann, and R. Schreiner, “Verifiable Identifiers in Middleware Security,” presented at ACSAC, New Orleans, Louisiana, 2001.

    Google Scholar 

  31. OMG, “Security Domain Membership Management Service, Final Submission,” document # orbos/2001-07-20, July 11 2001.

    Google Scholar 

  32. K. Brown, Programming Windows Security, First ed. Upper Saddle River, NJ: Addison-Wesley, 2000.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Quadrasis, Hitachi Computer Products (America), Inc., Waltham, MA

    Konstantin Beznosov

Authors
  1. Konstantin Beznosov
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. DOA Institute, p/a Leeuwlantstraat 83, 2100, Antwerp, Belgium

    Robert Meersman

  2. RMIT University School of Computer Science and IT, GPO Box 2476V, VIC 3001, Melbourne, Australia

    Zahir Tari

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Beznosov, K. (2002). Object Security Attributes: Enabling Application-Specific Access Control in Middleware. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems 2002: CoopIS, DOA, and ODBASE. OTM 2002. Lecture Notes in Computer Science, vol 2519. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36124-3_47

Download citation

  • DOI: https://doi.org/10.1007/3-540-36124-3_47

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00106-5

  • Online ISBN: 978-3-540-36124-4

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation