research-article

Role-based access control (RBAC) in Java via proxy objects using annotations

Authors:

Mahesh Tripunitara,

Patrick LamAuthors Info & Claims

SACMAT '10: Proceedings of the 15th ACM symposium on Access control models and technologies

Pages 79 - 88

https://doi.org/10.1145/1809842.1809858

Published: 11 June 2010 Publication History

Abstract

We propose a new approach for applying Role-Based Access Control (RBAC) to methods in objects in the Java programming language. In our approach, a policy implementer (usually a developer) annotates methods, interfaces, and classes with roles. Our system automatically creates proxy objects which only contain methods to which a client is authorized access based on the role specifications. Potentially untrusted clients that use Remote Method Invocation (RMI) then receive proxy objects rather than the originals.

We discuss the method annotation process, the semantics of annotations, how we derive proxy objects based on annotations, and how RMI clients invoke methods via proxy objects. We present the advantages to our approach, and distinguish it from existing approaches to method-granularity access control in Java. We demonstrate empirical evidence of the effectiveness of our approach by discussing its application to software projects that range from thousands to hundreds of thousands of lines of code.

References

[1]

Sandhu, R., Coyne, E., Feinstein H., and Youman, C., "Role-Based Access Control Models," Computer, vol. 29, pp. 38--47, Feb 1996.

Digital Library

[2]

Giuri, L., "Role-Based Access Control in Java," Proceedings of the third ACM workshop on Role-based access control, pp. 91--100, 1998.

Digital Library

[3]

Fournet, C. and Gordon, A., "Stack Inspection: Theory and Variants," ACM Transactions on Programming Languages and Systems (TOPLAS), vol. 25, pp. 360--399, May 2003.

Digital Library

[4]

Gosling, J., Joy, B., Steele, G., and Bracha, G., Java Language Specifification, 3rd Edition. Upper Saddle River, NJ, USA: Prentice Hall PTR, 2005.

Digital Library

[5]

Pandey, R. and Hashii, B., "Providing Fine-Grained Access Control for Java Programs," Proceedings of the 13th European Conference on Object-Oriented Programming, vol. LNCS 1628, pp. 449--473, 1999.

Digital Library

[6]

Zarnett, J., Lam, P., and Tripunitara, M., "Method-Specific Java Access Control via Proxy Objects using Annotations (Short Paper)," Proceedings of the 5th International Conference on Information Systems Security, vol. LNCS 5905, pp. 301--309, 2009.

Digital Library

[7]

Richmond, M. and Noble, J., "Reflections on Remote Reflection," Proceedings of the 24th Australasian Conference on Computer Science, vol. 11, pp. 163--170, 2001.

Digital Library

[8]

Hugh, M. and Ryan, M., Logic in Computer Science. Cambridge, UK: Cambridge University Press, 2nd ed., 2004.

Digital Library

[9]

A. V. Gelder, K. A. Ross, and J. S. Schlipf, "The well-founded semantics for general logic programs," Journal of the ACM, vol. 38, pp. 620--650, July 1991.

Digital Library

[10]

Jeff Zarnett, "Method-Specific Access Control in Java via Proxy Objects using Annotations," Master's thesis, University of Waterloo, 2010.

[11]

Ferraiolo, D.F., Kuhn, D.R., and Chandramouli, R., Role-Based Access Control. Norwood, MA, USA: Artech House, 2007.

Digital Library

[12]

Kumar, P., J2EE Security for Servlets, EJBs and Web Services: Applying Theory and Standards to Practice. Upper Saddle River, NJ, USA: Prentice Hall, 2003.

Digital Library

[13]

Li, N., Mitchell, J. C., and Tong, D., "Securing Java RMI-Based Distributed Applications," Proceedings of the 20th Annual Computer Security Applications Conference, pp. 262--271, 2004.

Digital Library

[14]

Wallach, D., Appel, A., and Felten, E., "SAFKASI: A Security Mechanism for Language-based Systems," ACM Transactions on Software Engineering and Methodology (TOSEM), vol. 9, pp. 341--378, 2000.

Digital Library

[15]

Giuri, L., "Role-based access control on the Web using Java," Proceedings of the fourth ACM workshop on Role-based access control, pp. 11--18, 1999.

Digital Library

[16]

Ahn, G-J and Hu, H., "Towards realizing a formal RBAC model in real systems," Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 215--224, 2007.

Digital Library

[17]

Bryce, C. and Razafimahefa, C., "An Approach to Safe Object Sharing," Proceedings of the 15th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 367--381, 2000.

Digital Library

[18]

Myers, A. C., Nystrom, N., Zheng, L., and Zdancewic, S., "Jif: Java information flow," July 2001. Software release. http://www.cs.cornell.edu/jif.

Cited By

Hohenstein UZillner SBiesdorf A(2019)Architectural Considerations for a Data Access Marketplace Based upon API ManagementData Management Technologies and Applications10.1007/978-3-030-26636-3_5(91-115)Online publication date: 20-Jul-2019
https://doi.org/10.1007/978-3-030-26636-3_5
Regateiro DPereira ÓAguiar R(2018)Server-Side Database Credentials: A Security Enhancing Approach for Database AccessData Management Technologies and Applications10.1007/978-3-319-94809-6_11(215-236)Online publication date: 30-Jun-2018
https://doi.org/10.1007/978-3-319-94809-6_11
Gorshkova ENovikov BShukla M(2017)A Fine-Grained Access Control Model and ImplementationProceedings of the 18th International Conference on Computer Systems and Technologies10.1145/3134302.3134310(187-194)Online publication date: 23-Jun-2017
https://dl.acm.org/doi/10.1145/3134302.3134310
Show More Cited By

Index Terms

Role-based access control (RBAC) in Java via proxy objects using annotations

Recommendations

PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
Role-Based access control consistency validation
ISSTA '06: Proceedings of the 2006 international symposium on Software testing and analysis

Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for ...
Practical Role-Based Access Control

This article presents access control from a general and a role-based perspective. The article's focus is role based Access Control from a practical vice a theoretical perspective. The article starts with some access control definitions and two secure ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '10: Proceedings of the 15th ACM symposium on Access control models and technologies

June 2010

212 pages

ISBN:9781450300490

DOI:10.1145/1809842

General Chair:
James Joshi
University of Pittsburgh, USA
,
Program Chair:
Barbara Carminati
University of Insubria, Italy

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 June 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT'10

Sponsor:

SIGSAC

SACMAT'10: 15th ACM Symposium on Access Control Models and Technologies

June 9 - 11, 2010

Pennsylvania, Pittsburgh, USA

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
423
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Hohenstein UZillner SBiesdorf A(2019)Architectural Considerations for a Data Access Marketplace Based upon API ManagementData Management Technologies and Applications10.1007/978-3-030-26636-3_5(91-115)Online publication date: 20-Jul-2019
https://doi.org/10.1007/978-3-030-26636-3_5
Regateiro DPereira ÓAguiar R(2018)Server-Side Database Credentials: A Security Enhancing Approach for Database AccessData Management Technologies and Applications10.1007/978-3-319-94809-6_11(215-236)Online publication date: 30-Jun-2018
https://doi.org/10.1007/978-3-319-94809-6_11
Gorshkova ENovikov BShukla M(2017)A Fine-Grained Access Control Model and ImplementationProceedings of the 18th International Conference on Computer Systems and Technologies10.1145/3134302.3134310(187-194)Online publication date: 23-Jun-2017
https://dl.acm.org/doi/10.1145/3134302.3134310
Ali AFernández M(2014)Static Enforcement of Role-Based Access ControlElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.163.4163(36-50)Online publication date: 8-Sep-2014
https://doi.org/10.4204/EPTCS.163.4
Pereira ORegateiro DAguiar R(2014)Role-Based Access control mechanisms2014 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC.2014.6912546(1-7)Online publication date: Jun-2014
https://doi.org/10.1109/ISCC.2014.6912546
Elrakaiby YTraon Y(2013)A PEP-PDP Architecture to Monitor and Enforce Security Policies in Java ApplicationsProceedings of the 2013 International Conference on Availability, Reliability and Security10.1109/ARES.2013.49(367-374)Online publication date: 2-Sep-2013
https://dl.acm.org/doi/10.1109/ARES.2013.49
Berhe SDemurjian SGokhale SPavlich-Mariscal JSaripalle R(2011)Leveraging UML for security engineering and enforcement in a collaboration on duty and adaptive workflow model that extends NIST RBACProceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy10.5555/2029896.2029930(293-300)Online publication date: 11-Jul-2011
https://dl.acm.org/doi/10.5555/2029896.2029930
Fuchs LPernul GSandhu R(2011)Roles in information security - A survey and classification of the research areaComputers and Security10.1016/j.cose.2011.08.00230:8(748-769)Online publication date: 1-Nov-2011
https://dl.acm.org/doi/10.1016/j.cose.2011.08.002
Berhe SDemurjian SGokhale SPavlich-Mariscal JSaripalle R(2011)Leveraging UML for Security Engineering and Enforcement in a Collaboration on Duty and Adaptive Workflow Model That Extends NIST RBACData and Applications Security and Privacy XXV10.1007/978-3-642-22348-8_25(293-300)Online publication date: 2011
https://doi.org/10.1007/978-3-642-22348-8_25

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents