Abstract
This paper makes two primary contributions toward establishing support for application-specific factors in middleware security mechanisms. First, it develops a simple classification framework for reasoning about the architecture of the security mechanisms in distributed applications that follow the decision-enforcement paradigm of the reference monitor. It uses the framework to demonstrate that the existing solutions lack satisfying tradeoffs for a wide range of those applications that require application-specific factors to be used in security decisions while mediating access requests. Second, by introducing attribute function in addition to decision and enforcement functions, it proposes a novel scheme for clean separation among suppliers of middleware security, security decision logic, and application-logic, while supporting application-specific protection policies. To illustrate the scheme on a concrete example, we describe its mapping into CORBA Security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
OSI, “Information Technology — Open Systems Interconnection — Security frameworks in open systems — Part 3: Access control,” ISO/IEC JTC1 10181-3, 1994.
G. Karjoth, “The Authorization Service of Tivoli Policy Director,” presented at Annual Computer Security Applications Conference (ACSAC), New Orleans, Louisiana, 2001.
Netegrity, “SiteMinder Concepts Guide,” Netegrity, Waltham, MA 2000.
Entegrity, “Entegrity AssureAccess™-Technical Overview,” Entegrity Solutions, September 2000.
Securant, “Unified Access Management: A Model For Integrated Web Security,” Securant Technologies, June 25 1999, http://www.cleartrust.com.
P. A. Bonatti, E. Damiani, S. D. C. d. Vimercati, and P. Samarati, “A Component-based Architecture for Secure Data Publication,” presented at ACSAC, New Orleans, Louisiana, 2001.
OMG, “CORBAservices: Common Object Services Specification, Security Service Specification v1.7,” document formal/01-03-08 2001, http://www.omg.org/cgi-bin/doc?formal/01-03-08.
C. Lai, L. Gong, L. Koved, A. Nadalin, and R. Schemers, “User Authentication And Authorization In The Java Platform,” presented at ACSAC, Phoenix, Arizona, USA, 1999, http://java.sun.com/security/jaas/doc/acsac.html.
Sun, “Java Authentication and Authorization Service (JAAS),” Sun Microsystems, 2001.
T. Ryutov and C. Neuman, “Access Control Framework for Distributed Applications (Work in Progress),” IETF, Internet Draft draft-ietf-cat-acc-cntrl-frmw-03, March 9 2000.
T. Ryutov and C. Neuman, “Representation and Evaluation of Security Policies for Distributed System Services,” presented at DARPA Information Servability Conference Exposition, Healton Head, South Carolina, 2000.
XACML-TC, “OASIS eXtensible Access Control Markup Language (XACML), Committee Draft,” OASIS May 9 2002, http://www.oasis-open.org/committees/xacml/docs/.
M. Kudo and S. Hada, “XML Document Security Based on Provisional Authorization,” presented at ACM Conference on Computer and Communications Security, Athenes, Greece, 2000.
B. Hailpern and H. Ossher, “Extending Objects to Support Multiple Interfaces and Access Control,” IEEE Transactions on Software Engineering, vol. 16, pp. 1247–1257, 1990.
J. Barkley, “Implementing Role-based Access Control Using Object Technology,” presented at The First ACM Workshop on Role-Based Access Control (RBAC), Fairfax, Virginia, USA, 1995.
R. Filman and T. Linden, “SafeBots: a Paradigm for Software Security Controls,” presented at New Security Paradigms Workshop, Lake Arrowhead, CA USA, 1996.
T. Riechmann and F. J. Hauck, “Meta Objects for Access Control: A Formal Model for Role-based Principals,” presented at New Security Paradigms Workshop, Charlottesville, VA USA, 1998.
IETF, “RFC 1510, The Kerberos Network Authentication Service, V5,” Internet Engineering Task Force, 1993.
T. Parker and D. Pinkas, “SESAME V4-Overview,” SESAME, December 1995.
OMG, “Resource Access Decision Facility,” OMG, document number: formal/2001-04-01, August 2001, http://www.omg.org/cgi-bin/doc?formal/2001-04-01.
K. Beznosov, Y. Deng, B. Blakley, C. Burt, and J. Barkley, “A Resource Access Decision Service for CORBA-based Distributed Systems,” presented at ACSAC, Phoenix, Arizona, USA, 1999.
HP, “HP Adds Value to DCE Security Framework with Praesidium Authorization Server,” in DCE Application Development Trends Magazine, 1996.
R. Simon and M. E. Zurko, “Adage: An Architecture for Distributed Authorization,” OSF Research Institute, Cambridge 1997, http://www.osf.org/www/adage/adage-arch-draft/adage-arch-draft.ps.
T. Ryutov and C. Neuman, “Generic Authorization and Access control Application Program Interface: C-bindings,” IETF, draft-ietf-cat-gaa-bind-03, March 9 2000.
B. Hartman, D. J. Flinn, and K. Beznosov, Enterprise SecurityWith EJB and CORBA. New York: John Wiley & Sons, Inc., 2001.
Encommerce, “getAccess Design and Administration Guide,” Encommerce, September 20 1999, http://www.encommerce.com.
D. C. Schmidt, “Overview of CORBA,” 2001, http://www.cs.wustl.edu/~schmidt/corbaoverview.html.
D. C. Schmidt and S. Vinoski, “Object Adapters: Concepts and Terminology,” in SIGS C++ Report, vol. 9, 1997.
OMG, “Specification of the Portable Object Adapter (POA),” OMG document # formal/01-09-48, 2001.
U. Lang, D. Gollmann, and R. Schreiner, “Verifiable Identifiers in Middleware Security,” presented at ACSAC, New Orleans, Louisiana, 2001.
OMG, “Security Domain Membership Management Service, Final Submission,” document # orbos/2001-07-20, July 11 2001.
K. Brown, Programming Windows Security, First ed. Upper Saddle River, NJ: Addison-Wesley, 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Beznosov, K. (2002). Object Security Attributes: Enabling Application-Specific Access Control in Middleware. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems 2002: CoopIS, DOA, and ODBASE. OTM 2002. Lecture Notes in Computer Science, vol 2519. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36124-3_47
Download citation
DOI: https://doi.org/10.1007/3-540-36124-3_47
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00106-5
Online ISBN: 978-3-540-36124-4
eBook Packages: Springer Book Archive