Skip to main content
Springer Nature Link
Log in

A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications

  • Conference paper
Information Security Practice and Experience (ISPEC 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3439))

  • 1008 Accesses

Abstract

Access control is a system-wide concern that has both a generic nature and an application dependent characteristic. It is generic as many functions must be protected with restricted access, yet the rule to grant a request is highly dependent on the application state. Hence it is common to see the code for implementing access control scattered over the system and tangled with the functional code, making the system difficult to maintain. This paper addresses this issue for Web applications by presenting a practical access control framework based on aspect-oriented programming (AOP). Our approach accommodates a wide range of access control requirements of different granularity. AOP supports the modular implementation of access control while still enables the code to get a hold of the application state. Moreover, framework technology offers a balanced view between reuse and customization. As a result, our framework is able to enforce fine-grained access control for Web applications in a highly adaptable manner.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. The Apache Struts Web Application Framework, http://struts.apache.org/

  2. Chandramouli, R.: A Framework for Multiple Authorization Types in a Healthcare Application System. In: 17th Annual Computer Security Applications Conference (December 2001)

    Google Scholar 

  3. De Win, B., Piessens, F., Joosen, W., Verhanneman, T.: On the importance of the separation-of-concerns principle in secure software engineering. In: Workshop on the Application of Engineering Principles to System Security Design (2002)

    Google Scholar 

  4. De Win, B., Vanhaute, B., De Decker, B.: Building Frameworks in AspectJ. In: ECOOP 2001. Workshop on Advanced Separation of Concerns, pp. 1–6 (2001)

    Google Scholar 

  5. De Win, B., Vanhaute, B., De Decker, B.: Security Through Aspect-Oriented Programming. In: Advances in Network and Distributed Systems Security, pp. 125–138. Kluwer Academic, Dordrecht (2001)

    Google Scholar 

  6. Hanenberg, S., Schmidmeier, A.: Idioms for Building Software Frameworks in AspectJ. In: 2nd AOSD Workshop on Aspects, Components, and Patterns for Infrastructure Software (ACP4IS), Boston, MA, March 17 (2003)

    Google Scholar 

  7. Gamma, Helm, Johnson, Vlissides: Design Patterns. Addison-Wesley, Reading (1995)

    Google Scholar 

  8. Georg, G., Ray, I., France, R.: Using Aspects to Design a Secure System. In: Proc. of the 8th IEEE Int’l Conf. on Engineering of Complex Computer Systems (December 2002)

    Google Scholar 

  9. Georgiadis, C.K., Mavridis, I., Pangalos, G., Thomas, R.K.: Flexible Team-based Access Control Using Contexts. In: Sixth ACM Symposium on Access Control Models and Technologies (SACMAT 2001), Chantilly, VA, USA (May 2001)

    Google Scholar 

  10. Giuri, L., Iglio, P.: Role Templates for Content-Based Access Control. In: Proceedings, 2nd ACM Workshop on Role-Based Access Control, Fairfax, VA, October 28–29, pp. 153–159 (1997)

    Google Scholar 

  11. Goodwin, R., Goh, S.F., Wu, F.Y.: Instance-level access control for business-to-business electronic commerce. IBM System Journal 41(2) (2002)

    Google Scholar 

  12. Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes, C., Loingtier, J.-M., Irwin, J.: Aspect-oriented programming. In: Aksit, M., Matsuoka, S. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  13. Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: Getting Started with AspectJ. Communications of ACM 44(10), 59–65 (2001)

    Article  Google Scholar 

  14. Kouadri Mostéfaoui, G., Brézillon, P.: A generic framework for context-based distributed authorizations. In: Blackburn, P., Ghidini, C., Turner, R.M., Giunchiglia, F. (eds.) CONTEXT 2003. LNCS, vol. 2680, pp. 204–217. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  15. Open Web Application Security Project: The Top Ten Most Critical Web Application Security Vulnerabilities, http://www.owasp.org/documentation/topten

  16. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2), 38–47 (1996)

    Google Scholar 

  17. Sun Microsystems, Java Authentication and Authorization Service (JAAS), http://java.sun.com/products/jaas/index.jsp

  18. Sun Microsystems, JavaServer Pages Technology (JSP), http://java.sun.com/products/jsp/

  19. Sun Microsystems, Java Servlet Technology, http://java.sun.com/products/servlet/

  20. Tzelepi1, S.K., Koukopoulos, D.K., Pangalos, G.: A flexible Content and Context-based Access Control Model for Multimedia Medical Image Database Systems. In: ACM SIGMM Electronic Proceedings (2001)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, National Chengchi University, Wenshan, Taipei, 106, Taiwan

    Kung Chen & Chih-Mao Huang

Authors
  1. Kung Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chih-Mao Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Information Systems, Singapore Management University, Singapore

    Robert H. Deng

  2. Institute for Infocomm Research, 119613, Singapore

    Feng Bao

  3. School of Information Systems, Singapore Management University,  

    HweeHwa Pang

  4. Cryptography and Security Department Institute for Infocomm Research, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chen, K., Huang, CM. (2005). A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds) Information Security Practice and Experience. ISPEC 2005. Lecture Notes in Computer Science, vol 3439. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-31979-5_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-31979-5_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-25584-0

  • Online ISBN: 978-3-540-31979-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics