Abstract
Model-View-Controller (MVC) architecture has commonly used in the implementation of web applications. These systems often incorporate security policies to ensure their reliability. Role-based access control (RBAC) is one of the effective solutions for reducing resources access violations of a system. This paper introduces an approach to check the compliance of a web application under MVC architecture with its RBAC specification. By investigating the system architecture and source code analysis, our approach conducts with extracting a list of resources access permissions, constructing a resources exploitation graph and organizing an access control matrix according to roles of a web application. The approach aims at checking two violation cases of web applications: (i) the presence of unspecified access rules and (ii) the absence of specified access rules. We illustrate the proposed approach by a case study of web based medical records management system.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alalfi, M.H., Cordy, J.R., Dean, T.R.: A verification framework for access control in dynamic web applications. In: Proceedings of the 2nd Canadian Conference on Computer Science and Software Engineering, pp. 109–113. ACM (2009)
Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automated verification of role-based access control security models recovered from dynamic web applications. In: 2012 14th IEEE International Symposium on Web Systems Evolution (WSE), pp. 1–10. IEEE (2012)
Alalfi, M.H., Cordy, J.R., Dean, T.R.: Recovering role-based access control security models from dynamic web applications. In: Brambilla, M., Tokuda, T., Tolksdorf, R. (eds.) ICWE 2012. LNCS, vol. 7387, pp. 121–136. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31753-8_9
Castelluccia, D., Mongiello, M., Ruta, M., Totaro, R.: WAVer: a model checking-based tool to verify web application design. Electron. Notes Theor. Comput. Sci. 157(1), 61–76 (2006)
Choi, E.H., Watanabe, H.: Model checking class specifications for web applications. In: 12th Asia-Pacific Software Engineering Conference, APSEC 2005, p. 9. IEEE (2005)
Di Sciascio, E., Donini, F.M., Mongiello, M., Piscitelli, G.: AnWeb: a system for automatic support to web application verification. In: Proceedings of the 14th International Conference on Software Engineering and Knowledge Engineering, pp. 609–616. ACM (2002)
Di Sciascio, E., Donini, F.M., Mongiello, M., Totaro, R., Castelluccia, D.: Design verification of web applications using symbolic model checking. In: Lowe, D., Gaedke, M. (eds.) ICWE 2005. LNCS, vol. 3579, pp. 69–74. Springer, Heidelberg (2005). https://doi.org/10.1007/11531371_12
Ferraiolo, D., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, Norwood (2003)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 4(3), 224–274 (2001)
Garg, A., Singh, S.: A review on web application security vulnerabilities. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3, 222–226 (2013)
Idani, A.: Model driven secure web applications: the SeWAT platform. In: Proceedings of the Fifth European Conference on the Engineering of Computer-Based Systems, p. 3. ACM (2017)
Mead, N.R., Allen, J.H., Barnum, S., Ellison, R.J., McGraw, G.: Software Security Engineering: A Guide for Project Managers. Addison-Wesley Professional, Boston (2004)
Principe, M., Yoon, D.: A web application using MVC framework. In: Proceedings of the International Conference on e-Learning, e-Business, Enterprise Information Systems, and e-Government (EEE), p. 10 (2015)
Rubenstein, S.: Are your medical records at risk? Wall Street J. (2009)
Shklar, L., Rosen, R.: Web Application Architecture. Wiley, Hoboken (2009)
Touseef, P., Ashraf, M.A., Rafiq, A.: Analysis of risks against web applications in MVC. NFC IEFR J. Eng. Sci. Res. 5 (2017)
Acknowledgments
This work has been supported by VNU University of Engineering and Technology under Project QG.16.32.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Luong, TN., Vo, DH., To, VK., Truong, NT. (2019). On the Compliance of Access Control Policies in Web Applications. In: Cong Vinh, P., Alagar, V. (eds) Context-Aware Systems and Applications, and Nature of Computation and Communication. ICCASA ICTCC 2018 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 266. Springer, Cham. https://doi.org/10.1007/978-3-030-06152-4_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-06152-4_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-06151-7
Online ISBN: 978-3-030-06152-4
eBook Packages: Computer ScienceComputer Science (R0)