Journal of Information Security and Cryptography (Enigma)

Authorization in its most basic form can be
reduced to a simple question: “May a subject X access an object
Y?” The attempt to implement an adequate response to this
authorization question has produced many access control models
and mechanisms. The development of the authorization
mechanisms usually employs frameworks, which usually
implements one access control model, as a way of reusing larger
portions of software. However, some authorization requirements,
present on recent applications, have demanded for software
systems to be able to handle security policies of multiple access
control models. Industry has resolved this problem in a
pragmatic way, by using the framework to solve part of the
problem, and mingling business and the remaining authorization
concerns into the code. The main goal of this paper is to present a
comparative analysis between the existing frameworks developed
either within the academic and industry environments. This
analysis uses a motivating example to present the main industry
frameworks and consider the fulfillment of modularity,
extensibility and granularity requirements facing its suitability
for the existing access control models. This analysis included the
Esfinge Guardian framework, which is an open source
framework developed by the authors that provides mechanisms
that allows its extension to implement and combine different
authorization models.

E. BERTINO; B. CATANIA; E. FERRARI; P. PERLASCA, “A logical

framework for reasoning about access control models.” ACM

Transactions on Information and System Security, v. 6, no. 1, pp. 71-

, 2003.

PRIVILEGE MANAGEMENT CONFERENCE COLLABORATION

TEAM. A report on the privilege (access) management workshop.

Washington, DC: NIST, 2010. (NIST-IR-7657).

Hu, V. C., Ferraiolo, D. F., Kuhn D. R.: Assessment of Access Control

(NIST-IR-7316). Gaithersburg, MD (2006)

Hu, V. C., Scarfone, K.: Guidelines for Access Control System

Evaluation Metrics NIST-IR-7874. Gaithersburg, MD (2012)

Eduardo Guerra, Felipe Alves, Uirá Kulesza, Clovis Fernandes, A

reference architecture for organizing the internal structure of metadatabased

frameworks, Journal of Systems and Software, Volume 86, Issue

, May 2013, Pages 1239-1256.

Fayad, M., Schmidt, D. C., Johnson, R. E.: Building application

frameworks: object-oriented foundations of framework design. In:

Building application frameworks: object-oriented foundations of

framework design, New York, Wiley, 55-83 (1999)

Ferraiolo, D., Kuhn R., Chandramoulli, R.: Role-based access control.

Artech House (2007)

Ferraiolo, D., Kuhn, R.: Role-based Access Controls. In: Proceedings of

th NIST-NCSC National Computer Security Conference, Baltimore,

MD, 554-563 (1992).

Elliott, A. A., Knight, G. S.: Role Explosion: Acknowledging the

Problem. In: Proceedings of the 2010 International Conference on

Software Engineering Research & Practice. (2010)

Sandhu, R., Ferraiolo, D.F., Kuhn, D.R.: The NIST Model for Role-

Based Access Control: Toward a Unified Standard. In: 5th ACM

Workshop Role-Based Access Control. pp. 47–63. (2000).

Probst, S., Kung, J.: The need for declarative security mechanisms. In:

Proceedings of 30th Euromicro Conference, pp. 526- 531 (2004)

Merz, M.: Enabling declarative security through the use of Java Data

Objects. In: Journal of Science of Computer Programming, V. 70, n. 2-3,

pp. 208-220 (2008)

Bartsch, S.: Authorization Enforcement Usability Case Study. In:

ESSoS'11: Proceedings of the Third international conference on

Engineering secure software and systems, pp. 209-220 (2011)

Hai-bo, S., Fan, H.: An Attribute-Based Access Control Model for Web

Services. In: PDCAT '06. Seventh International Conference on Parallel

and Distributed Computing, Applications and Technologies, pp.74-79

(2006)

Peng, J., Yang, F.: Description Logic Modeling of Temporal Attribute-

Based Access Control. In: ICCE '06. First International Conference on

Communications and Electronics, pp.414-418 (2006)

Hsieh, G., Foster, K., Emamali, G., Patrick, G., Marvel, L.: Using

XACML for Embedded and Fine-Grained Access Control Policy. In:

ARES '09 International Conference, pp.462-468 (2009)

XACML: eXtensible Access Control Markup Language (XACML),

Version 3.0, Committee Specification 01. http://docs.oasisopen.org/

xacml/3.0/xacml-3.0-core-spec-cs-01-en.pdf (2011)

Bo, L, Nan, Z., Kun, G., Kai, C.: An XACML Policy Generating

Method Based on Policy View. ICPCA 2008: 3rd International Confer.

on Pervasive Computing and Applications, v.1, pp.295-301 (2008)

Java EE: Java Enterprise Edition Tutorial 6.

http://docs.oracle.com/javaee/6/tutorial/doc/bnbyl.html (2013).

Spring Framework: Spring Source Community.

http://www.springsource.org/ (2013)

Perillo, J., Guerra, E., Silva, J., Silveira, F., Fernandes, C.: Metadata

Modularization Using Domain Annotations. In: Workshop on

Assessment of Contemporary Modularization Techniques. V. 3, Orlando

(2009)

Perillo, J., Guerra, E., Fernandes, C.: Daileon-A Tool for Enabling

Domain Annotations. In: RAM-SE '09: Proceedings of the Workshop on

AOP and Meta-Data for Software Evolution, n. 7 (2009)

Trusted Computer System Evaluation Criteria (Orange Book),

Department of Defense.

http://csrc.nist.gov/publications/history/dod85.pdf (1985)

Sayaf, R., Clarke D.: Access Control Models for Online Social

Networks. In: Social Network Engineering for Secure Web Data and

Services, (2012)

R. Sayaf. Access control for online social networks - research summary.

In: For your eyes only conference. Brussels. (2012)

Ribeiro, M., Dosea, M., Bonifácio, R., Neto, A. C., Borba, P., Soares, S.:

Analyzing Class and Crosscutting Modularity Structure Matrixes. In

Proceedings of the 21th Brazilian Symposium on Software Engineering

(SBES) (2007)

Neto, A. C., Ribeiro, M., Dósea, M., Bonifácio, R., Borba, P., Soares, S.:

Semantic Dependencies and Modularity of Aspect-Oriented Software.

In: Workshop on Assessment of Contemporary Modularization

Techniques (2007)

Guerra, Eduardo, Buarque, Eduardo, Fernandes, Clovis, Silveira, Fábio

(2013) A Flexible Model for Crosscutting Metadata-Based Frameworks.

Computational Science and Its Applications – ICCSA 2013, Lecture

Notes in Computer Science, V 7972, 391-407.

Motta, G.H.M.B.; Furuie, S.S., "A contextual role-based access control

authorization model for electronic patient record," Information

Technology in Biomedicine, IEEE Transactions on , vol.7, no.3,

pp.202,207, Sept. 2003

Silva, J., Guerra, E., Fernandes, C.: An Extensible and Decoupled

Architectural Model for Authorization Frameworks. In: Murgante, B.,

Misra, S., Carlini, M., Torre, C.M., Nguyen, H.-Q., Taniar, D.,

Apduhan, B.O., Gervasi, O. (eds.) ICCSA 2013, Part IV. LNCS, vol.

, pp. 614–628. Springer, Heidelberg (2013)

Kandala, S.; Sandhu, R.; Bhamidipati, V., "An Attribute Based

Framework for Risk-Adaptive Access Control Models," Availability,

Reliability and Security (ARES), 2011 Sixth International Conference

on , vol., no., pp.236,241, 22-26 Aug. 2011

Ferreira, A.; Chadwick, D.; Farinha, P.; Correia, R.; Gansen Zao; Chilro,

R.; Antunes, L., "How to Securely Break into RBAC: The BTG-RBAC

Model," Computer Security Applications Conference, 2009. ACSAC

'09. Annual , vol., no., pp.23,31, 7-11 Dec. 2009

PARK, J.; SANDHU, R. The UCONABC usage control model. ACM

Transactions on Information System Security, v. 0, n. 0, February, 2004.

Yonggang Ding; Junhua Zou, "DRM Application in UCONABC,"

Advanced Software Engineering and Its Applications, 2008. ASEA 2008

, vol., no., pp.182,185, 13-15 Dec. 2008

Srijith K. Nair, Andrew S. Tanenbaum, Gabriela Gheorghe, and Bruno

Crispo. 2008. Enforcing DRM policies across applications. In

Proceedings of the 8th ACM workshop on Digital rights management

(DRM '08). ACM, New York, NY, USA, 87-94.

Silva, J. O. An Architectural Model for Access Control Frameworks

Extensible for Different Authorization. São José dos Campos, 2013.

Master’s Thesis 114f.

Rissanen E, Brossard D, Slabbert A Distributed access control

management—a xacml-based approach. In: ICSOC-servicewave.

Springer, Berlin, 2009

Sirbi, K.; Kulkarni, P. J. Modularization of enterprise application

security through Spring AOP. International Journal of Computer Science

& Communication, v. 1, n. 2, p. 227-231, 2010.

Fernandez, L. L.; Carrillo, M. G.; Pelaez, J.; Fernandez, F. A declarative

authentication and authorization framework for convergent IMS/Web

application servers based on aspect oriented code injection. In: IMSAA

INTERNATIONAL CONFERENCE ON INTERNET MULTIMEDIA

SERVICES ARCHITECTURE AND APPLICATIONS, 2, 2008,

Bangalore. Proceedings… Bangalore: IMSAA, 2008. p. 1-6.

HAI-BO, S. A semantic and attribute-based framework for web services

access control. In: ISA INTERNATIONAL WORKSHOP ON

INTELLIGENT SYSTEMS AND APPLICATIONS, 2, 2010, Wuhan.

Proceedings… Wuhan: ISA, 2010, p.1-4.

Silva, J. Frameworks orientados a aspectos baseados em metadados. São

José dos Campos: Aeronautics Institute of Technology (ITA), 2008.

Welch, I. S.; Stroud, R. J. Re-engineering security as a crosscutting

concern. The Computer Journal, v. 46, n. 5, p. 578-589, 2003.

Camargo, V. V. Frameworks transversais: definições, classificações,

arquitetura e utilização em um processo de desenvolvimento de

software. 2006. PhD’s Thesis in Computing Science – University of São

Paulo, São Carlos, 2006.

Lampson, B. W. A note on the confinement problem. Communications

of ACM. v. 16, n. 10, p. 613–615, October, 1973.

LU, Peng; YIN, Zhao-lin. Analysis and extension of authentication and

authorization of Acegi security framework