Skip to main content
SpringerLink
Log in

An XML-Based Policy Model for Access Control in Web Applications

  • Conference paper
Database and Expert Systems Applications (DEXA 2013)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8056))

Included in the following conference series:

Abstract

Organizational Information Systems (IS) collect, store, and manage personal and business data. Due to regulation laws and to protect the privacy of users, clients, and business partners, these data must be kept private. This paper proposes a model and a mechanism that allows defining access control policies based on the user profile, the time period, the mode and the location from where data can be accessed. The proposed policy model is simple enough to be used by a business manager, yet it has the flexibility to define complex restrictions. At runtime, a protection layer monitors data accesses and enforces existing policies. A prototype tool was implemented to run an experimental evaluation, which showed that the tool is able to enforce access control with minimal performance impact, while assuring scalability both in terms of the number of users and the number of policies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bertino, E., Lin, D., Jiang, W.: A Survey of Quantification of Privacy Preserving Data Mining Algorithms. In: Aggarwal, C.C., Yu, P.S., Elmagarmid, A.K. (eds.) Privacy-Preserving Data Mining, vol. 34, pp. 183–205. Springer, US (2008)

    Chapter  Google Scholar 

  2. Internet Engineering Task Force (IETF), http://www.ietf.org/ (accessed: September 07, 2012)

  3. Bertino, E., Ghinita, G., Kamra, A.: Access Control for Databases: Concepts and Systems. Now Publishers Inc. (2011)

    Google Scholar 

  4. Sandhu, R.S.: Role-based Access Control. In: Advances in Computers, vol. 46, pp. 237–286. Elsevier (1998)

    Google Scholar 

  5. Ni, Q., Bertino, E., Lobo, J., Calo, S.B.: Privacy-Aware Role-Based Access Control. IEEE Security Privacy 7(4), 35–43 (2009)

    Article  Google Scholar 

  6. OASIS eXtensible Access Control Markup Language (XACML) TC | OASIS, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml (accessed: September 07, 2012)

  7. Masi, M., Pugliese, R., Tiezzi, F.: Formalisation and Implementation of the XACML Access Control Mechanism. In: Barthe, G., Livshits, B., Scandariato, R. (eds.) ESSoS 2012. LNCS, vol. 7159, pp. 60–74. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  8. Bernard Stepien, S.M.: Advantages of a non-technical XACML notation in role-based models, pp. 193–200 (2011)

    Google Scholar 

  9. Samarati, P., de, S., di Vimercati, C.: Access Control: Policies, Models, and Mechanisms. In: Foundations of Security Analysis and Design (Tutorial Lectures), pp. 137–196 (2001)

    Google Scholar 

  10. Bernard Stepien, S.M.: Advantages of a non-technical XACML notation in role-based models, pp. 193–200 (2011)

    Google Scholar 

  11. Turkmen, F., Crispo, B.: Performance evaluation of XACML PDP implementations. In: Proceedings of the 2008 ACM Workshop on Secure Web Services, New York, NY, USA, pp. 37–44 (2008)

    Google Scholar 

  12. Michael Butler, J.: Extending Role Based Access Control - A SANS Whitepaper, http://www.sans.org/reading_room/analysts_program/access-control-foxt.pdf (accessed: February15, 2013)

  13. P3P: The Platform for Privacy Preferences, http://www.w3.org/P3P/ (accessed: September 04, 2012)

  14. Byun, J.-W., Li, N.: Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17(4), 603–619 (2008)

    Article  Google Scholar 

  15. Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W.: Extending Relational Database Systems to Automatically Enforce Privacy Policies. In: Proceedings of the 21st International Conference on Data Engineering, Washington, DC, USA, pp. 1013–1022 (2005)

    Google Scholar 

  16. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: 28th Int’l Conference on Very Large Databases, Hong Kong (2002)

    Google Scholar 

  17. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  18. Arora, S., Song, E., Kim, Y.: Modified hierarchical privacy-aware role based access control model. In: Proceedings of the 2012 ACM Research in Applied Computation Symposium, New York, NY, USA, pp. 344–347 (2012)

    Google Scholar 

  19. Ni, Q., Bertino, E.: Conditional Privacy-Aware Role Based Access Control. Springer, Heidelberg (2007)

    Google Scholar 

  20. Beznosov, K.: Requirements for access control: US Healthcare domain. In: Proceedings of the Third ACM workshop on Role-based access control, New York, NY, USA (1998)

    Google Scholar 

  21. Bertino, E., Carminati, B., Ferrari, E.: Access control for XML documents and data. Inf. Secur. Tech. Rep., vol. 9, no 3, pp. 19–34 (July 2004)

    Google Scholar 

  22. Lu, Y., Zhang, L., Sun, J.: Task-activity based access control for process collaboration environments. Comput. Ind. 60(6), 403–415 (2009)

    Article  Google Scholar 

  23. Tolone, W., Ahn, G.-J., Pai, T., Hong, S.-P.: Access control in collaborative systems. ACM Comput. Surv. 37(1), 29–41 (2005)

    Article  Google Scholar 

  24. De Capitani di Vimercati, S., Samarati, P., Jajodia, S.: Policies, models, and languages for access control. In: Databases in Networked Information Systems, pp. 225–237 (2005)

    Google Scholar 

  25. Regina Lúcia de Oliveira Moraes, http://www.ft.unicamp.br/~regina/Gerais/Request-database-administrator-detailed.pdf (Accessed: April 9, 2013)

  26. Sybase XML Modeling PowerDesigner® 15.3, http://wwwdownload.sybase.com/pdfdocs/pdd1100e/xmug.pdf (accessed: April 09, 2013])

  27. Zhu, H., Lü, K.: Fine-grained access control for database management systems. In: Proceedings of the 24th British National Conference on Databases, Berlin, Heidelberg, pp. 215–223 (2007)

    Google Scholar 

  28. ROLE-BASED ACCESS CONTROL A Position Statement, http://profsandhu.com/misc_pubs/nist/n94rbac.pdf (accessed: January 29, 2013)

  29. Miseldine, P.L.: Automated XACML Policy Reconfiguration for Evaluation Otimisation. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems (SESS 2008), pp. 1–8. ACM, New York (2008)

    Google Scholar 

  30. TPC-W, http://www.tpc.org/tpcw/ (accessed: January 08, 2013)

  31. Oracle | Hardware and Software, Engineered to Work Together, http://www.oracle.com/index.html (accessed: January 29, 2013)

  32. Apache JMeter - Apache JMeterTM, http://jmeter.apache.org/ (accessed: January 09, 2013)

Download references

Author information

Authors and Affiliations

  1. State University of Campinas (UNICAMP), Campinas, Brazil

    Tania Basso & Regina Moraes

  2. University of Coimbra (UC), Coimbra, Portugal

    Nuno Antunes & Marco Vieira

Authors
  1. Tania Basso
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nuno Antunes
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Regina Moraes
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Marco Vieira
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Instituto Tecnológico de Informática, Valencia, Spain

    Hendrik Decker

  2. Faculty of Electrical Engineering, Department of Cybernetics, Czech Technical University in Prague, 166 27, Prague 6, Czech Republic

    Lenka Lhotská

  3. Department of Computer Science, The University of Auckland, 1010, Auckland, New Zealand

    Sebastian Link

  4. Department of Information Technologies, University of Economics, Winston Churchill Square 4, 130 67, Prague 3, Czech Republic

    Josef Basl

  5. Institute of Software Technology, Vienna University of Technology, Favoritenstraße 9-11 / 188, 1040, Vienna, Austria

    A Min Tjoa

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Basso, T., Antunes, N., Moraes, R., Vieira, M. (2013). An XML-Based Policy Model for Access Control in Web Applications. In: Decker, H., Lhotská, L., Link, S., Basl, J., Tjoa, A.M. (eds) Database and Expert Systems Applications. DEXA 2013. Lecture Notes in Computer Science, vol 8056. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40173-2_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-40173-2_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-40172-5

  • Online ISBN: 978-3-642-40173-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation