Skip to main content
Springer Nature Link
Log in

Validating Access Control Configurations in J2EE Applications

  • Conference paper
Component-Based Software Engineering (CBSE 2008)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5282))

Included in the following conference series:

Abstract

Access control is a means to achieve information security. When we build large-scale systems based on commercial component middleware platforms, such as those compliant to J2EE, a usual way to enforce access control is to define Access Control Configurations (ACCs) for components in a declarative manner. These ACCs can be enforced by the J2EE security service to grant or deny access requests to components. However, it is difficult for the developers to define correct ACCs according to complex and sometimes ambiguous real-world access control requirements. Faults of ACCs in large-scale J2EE applications may inevitably occur due to various reasons, for example ad hoc mistakes of the developers. This paper identifies three kinds of faults specific to ACCs of J2EE applications as incompleteness, inconsistency, and redundancy, presents validation algorithms for identifying these faults according to access control requirements, illustrates these faults and the validation algorithms with an online bank application.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Szyperski, C.: Component Software: Beyond Object-Oriented Programming, 2nd edn. Addison Wesley, London (2002)

    MATH  Google Scholar 

  2. Lan, L., Huang, G., et al.: Architecture Based Deployment of Large-Scale Component Based Systems: The Tool and Principles. In: Heineman, G., Crnkovic, I., Schmidt, H.W., Stafford, J.A., Szyperski, C., Wallnau, K. (eds.) CBSE 2005. LNCS, vol. 3489, pp. 123–138. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  3. Liu, Y., Gorton, I.: Performance Prediction of J2EE Applications Using Messaging Protocols. In: Heineman, G., Crnkovic, I., Schmidt, H.W., Stafford, J.A., Szyperski, C., Wallnau, K. (eds.) CBSE 2005. LNCS, vol. 3489, pp. 123–138. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Lau, K.K., Ukis, V.: Defining and Checking Deployment Contracts for Software Components. In: Gorton, I., Heinemann, G.T., Crnkovic, I., Schmidt, H.W., Stafford, J.A., Szyperski, C., Wallnau, K. (eds.) CBSE 2006. LNCS, vol. 4063, pp. 1–16. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  5. Samarati, P., di Vimercati, S.C.: Access Control: Policies, Models, and Mechanisms. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 137–196. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  6. BS799-1: Information Security Management—Part 1: Code of Practice for Information Security, British Standards Institution, London (1999)

    Google Scholar 

  7. Sandhu, R.S., Coyne, E.J., et al.: Role-based access control models. Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  8. Sun Microsystems, The Java EE 5 Tutorial, http://java.sun.com/javaee/5/docs/

  9. Sun Microsystems, Enterprise JavaBeans Specification v3.0, http://java.sun.com/products/ejb/

  10. Crook, R., Ince, D.C., et al.: Modelling access policies using roles in requirements engineering. J. Information & Software Technology 45(14), 979–991 (2003)

    Article  Google Scholar 

  11. Ahn, G.J.: The RCL 2000 language for specifying role-based authorization constraints, Ph.D. thesis, George Mason University, Fairfax, Virginia (1999)

    Google Scholar 

  12. Hansen, F., Oleshchuk, V.: Conformance Checking of RBAC Policy and Its Implementation. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 144–155. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  13. Fisler, K.S., Krishnamurthi, L., et al.: Verification and change-impact analysis of access-control policies. In: Proc. of ICSE 2005, pp. 196–205. ACM Press, New York (2005)

    Google Scholar 

  14. Martin, E., Xie, T.: A fault model and mutation testing of access control policies. In: Proc. of WWW 2007, pp. 667–676 (2007)

    Google Scholar 

  15. Moses, T.: eXtensible Access Control Markup Language (XACML) version 1.0. Technical report, OASIS (February 2003)

    Google Scholar 

  16. Ilechko, P., Kagan, M.: Authorization concepts and solutions for J2EE applications, http://www.ibm.com/developerworks/websphere/library/techarticles/0607_ilechko/0607_ilechko.html

  17. Vimercati, S., Paraboschi, S., et al.: Access control: principles and solutions. Software - Practice and Experience 33, 397–421 (2003)

    Article  Google Scholar 

  18. Adrion, W.R., Branstad, M.A., et al.: Validation, Verification, and Testing of Computer Software. ACM Computing Surveys (CSUR) 14(2), 159–192 (1982)

    Article  Google Scholar 

  19. Giorgini, P., Massacci, F., et al.: Modeling Security Requirements Through Ownership, Permission and Delegation. In: Proc. of ICRE 2005, pp. 167–176. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  20. Grove, D., Chambers, C.: A Framework for Call Graph Construction Algorithms. ACM Trans. Program. Lang. Syst. 23(6), 685–746 (2001)

    Article  Google Scholar 

  21. Huang, G., Mei, H., et al.: Runtime recovery and manipulation of software architecture of component-based systems. Autom. Softw. Eng. 13(2), 257–281 (2006)

    Article  MathSciNet  Google Scholar 

  22. Ramesh, B., Jarke, M.: Toward reference models for requirements traceability. IEEE Transactions on Software Engineering 27(1), 58–93 (2001)

    Article  Google Scholar 

  23. Vo, H.D., Suzuki, M.: An Approach for Specifying Access Control Policy in J2EE Applications. In: Proc. of APSEC 2007, pp. 422–429 (2007)

    Google Scholar 

  24. Jajodia, S., Samarati, P., et al.: A logical language for expressing authorizations. In: Proc. of 1997 IEEE Symposium on Security and Privacy, pp. 31–42 (1997)

    Google Scholar 

  25. Naumovich, G., Centonze, P.: Static Analysis of Role-Based Access Control in J2EE Applications. SIGSOFT Software Engineering Notes 29(5), 1–10 (2004)

    Article  Google Scholar 

  26. Centonze, P., Naumovich, G., Fink, S.J., et al.: Role-Based Access Control Consistency Validation. In: Proc. of the ISSTA 2006, pp. 121–132. ACM Press, New York (2006)

    Google Scholar 

  27. Martin, E., Xie, T., et al.: Assessing Quality of Policy Properties in Verification of Access Control Policies. Technical Report. North Carolina State University Raleigh, NC, USA (2007)

    Google Scholar 

  28. Sohr, K., Ahn, G.J., et al.: Specification and Validation of Authorisation Constraints Using UML and OCL. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 64–79. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  29. Pistoia, M., Fink, S.J., et al.: When Role Models Have Flaws: Static Validation of Enterprise Security Policies. In: Proc. of ICSE 2007, pp. 478–488. IEEE Computer Society, Los Alamitos (2007)

    Google Scholar 

  30. Massacci, F., Zannone, N.: Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank, Technical Report DIT-06-002, University of Trento (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Key Laboratory of High Confidence Software Technologies, Ministry of Education, China School of Electronics Engineering and Computer Science, Peking University, 100871, China

    Lianshan Sun, Gang Huang & Hong Mei

Authors
  1. Lianshan Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gang Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hong Mei
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technische Universiteit Eindhoven, Den Dolech 2, 5600MB, Eindhoven, The Netherlands

    Michel R. V. Chaudron

  2. Microsoft, USA

    Clemens Szyperski

  3. Chair for Software Design and Quality, University of Karlsruhe (TH),, Am Fasanengarten 5, 76131, Karlsruhe, Germany

    Ralf Reussner

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sun, L., Huang, G., Mei, H. (2008). Validating Access Control Configurations in J2EE Applications. In: Chaudron, M.R.V., Szyperski, C., Reussner, R. (eds) Component-Based Software Engineering. CBSE 2008. Lecture Notes in Computer Science, vol 5282. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87891-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87891-9_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87890-2

  • Online ISBN: 978-3-540-87891-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation