Research Article
On the Compliance of Access Control Policies in Web Applications
@INPROCEEDINGS{10.1007/978-3-030-06152-4_6, author={Thanh-Nhan Luong and Dinh-Hieu Vo and Van-Khanh To and Ninh-Thuan Truong}, title={On the Compliance of Access Control Policies in Web Applications}, proceedings={Context-Aware Systems and Applications, and Nature of Computation and Communication. 7th EAI International Conference, ICCASA 2018, and 4th EAI International Conference, ICTCC 2018, Viet Tri City, Vietnam, November 22--23, 2018, Proceedings}, proceedings_a={ICCASA \& ICTCC}, year={2019}, month={1}, keywords={Compliance Access control policy RBAC Web applications}, doi={10.1007/978-3-030-06152-4_6} }- Thanh-Nhan Luong
Dinh-Hieu Vo
Van-Khanh To
Ninh-Thuan Truong
Year: 2019
On the Compliance of Access Control Policies in Web Applications
ICCASA & ICTCC
Springer
DOI: 10.1007/978-3-030-06152-4_6
Abstract
Model-View-Controller (MVC) architecture has commonly used in the implementation of web applications. These systems often incorporate security policies to ensure their reliability. Role-based access control (RBAC) is one of the effective solutions for reducing resources access violations of a system. This paper introduces an approach to check the compliance of a web application under MVC architecture with its RBAC specification. By investigating the system architecture and source code analysis, our approach conducts with extracting a list of resources access permissions, constructing a resources exploitation graph and organizing an access control matrix according to roles of a web application. The approach aims at checking two violation cases of web applications: (i) the presence of unspecified access rules and (ii) the absence of specified access rules. We illustrate the proposed approach by a case study of web based medical records management system.