Abstract
Business services are increasingly dependent upon Web applications. Whereas URL-based access control is one of the most prominent and pervasive security mechanism in use, failure to restrict URL accesses is still a major security risk. This paper aims at mitigating this risk by giving a formal semantics for access control constraints standardized in the J2EE Java Servlet Specification, arguably one of the most common framework for web applications. A decision engine and a comparison algorithm for change impact analysis of access control configurations are developed on top of this formal building block.
This work is partially supported by the FP7-ICT-2009.1.4 Project PoSecCo (no. 257129, www.posecco.eu )
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Coward, D., Yoshida, Y.: Java servlet specification, version 2.4. Technical report. Sun Microsystems, Inc. (November 2003)
NIST, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0738
Casalino, M.M., Thion, R., Hacid, M.S.: Access control configuration for j2ee web applications: A formal perspective (extended research report) (June 2012), http://liris.cnrs.fr/publis/?id=5601
Bryans, J.: Reasoning about xacml policies using csp. In: SWS 2005, pp. 28–35. ACM, New York (2005)
Kolovski, V., Hendler, J., Parsia, B.: Analyzing web access control policies. In: WWW 2007, pp. 677–686. ACM, New York (2007)
Ramli, C.D.P.K., Nielson, H.R., Nielson, F.: The logic of xacml - extended. CoRR abs/1110.3706 (2011)
Bertino, E., Squicciarini, A.C., Paloscia, I., Martino, L.: Ws-ac: A fine grained access control system for web services. World Wide Web 9, 143–171 (2006)
Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: ICWS 2005, pp. 561–569. IEEE Computer Society, Washington, DC (2005)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205. ACM (2005)
Naumovich, G., Centonze, P.: Static analysis of role-based access control in j2ee applications. SIGSOFT Softw. Eng. Notes 29, 1–10 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Casalino, M.M., Thion, R., Hacid, MS. (2012). Access Control Configuration for J2EE Web Applications: A Formal Perspective. In: Fischer-Hübner, S., Katsikas, S., Quirchmayr, G. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2012. Lecture Notes in Computer Science, vol 7449. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32287-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-32287-7_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32286-0
Online ISBN: 978-3-642-32287-7
eBook Packages: Computer ScienceComputer Science (R0)