Context-Aware Systems and Applications, and Nature of Computation and Communication. 7th EAI International Conference, ICCASA 2018, and 4th EAI International Conference, ICTCC 2018, Viet Tri City, Vietnam, November 22–23, 2018, Proceedings

Research Article

On the Compliance of Access Control Policies in Web Applications

  • @INPROCEEDINGS{10.1007/978-3-030-06152-4_6,
        author={Thanh-Nhan Luong and Dinh-Hieu Vo and Van-Khanh To and Ninh-Thuan Truong},
        title={On the Compliance of Access Control Policies in Web Applications},
        proceedings={Context-Aware Systems and Applications, and Nature of Computation and Communication. 7th EAI International Conference, ICCASA 2018, and 4th EAI International Conference, ICTCC 2018, Viet Tri City, Vietnam, November 22--23, 2018, Proceedings},
        proceedings_a={ICCASA \& ICTCC},
        year={2019},
        month={1},
        keywords={Compliance Access control policy RBAC Web applications},
        doi={10.1007/978-3-030-06152-4_6}
    }
    
  • Thanh-Nhan Luong
    Dinh-Hieu Vo
    Van-Khanh To
    Ninh-Thuan Truong
    Year: 2019
    On the Compliance of Access Control Policies in Web Applications
    ICCASA & ICTCC
    Springer
    DOI: 10.1007/978-3-030-06152-4_6
Thanh-Nhan Luong,*, Dinh-Hieu Vo1,*, Van-Khanh To1,*, Ninh-Thuan Truong1,*
  • 1: VNU University of Engineering and Technology
*Contact email: ltnhan@hpmu.edu.vn, hieuvd@vnu.edu.vn, khanhtv@vnu.edu.vn, thuantn@vnu.edu.vn

Abstract

Model-View-Controller (MVC) architecture has commonly used in the implementation of web applications. These systems often incorporate security policies to ensure their reliability. Role-based access control (RBAC) is one of the effective solutions for reducing resources access violations of a system. This paper introduces an approach to check the compliance of a web application under MVC architecture with its RBAC specification. By investigating the system architecture and source code analysis, our approach conducts with extracting a list of resources access permissions, constructing a resources exploitation graph and organizing an access control matrix according to roles of a web application. The approach aims at checking two violation cases of web applications: (i) the presence of unspecified access rules and (ii) the absence of specified access rules. We illustrate the proposed approach by a case study of web based medical records management system.