Role-Based Access Control Models
Computer
Validation, Verification, and Testing of Computer Software
ACM Computing Surveys (CSUR)
Toward Reference Models for Requirements Traceability
IEEE Transactions on Software Engineering
A framework for call graph construction algorithms
ACM Transactions on Programming Languages and Systems (TOPLAS)
Component Software: Beyond Object-Oriented Programming
Component Software: Beyond Object-Oriented Programming
Access Control: Policies, Models, and Mechanisms
FOSAD '00 Revised versions of lectures given during the IFIP WG 1.7 International School on Foundations of Security Analysis and Design on Foundations of Security Analysis and Design: Tutorial Lectures
Access control: principles and solutions
Software—Practice & Experience - Special issue: Security software
A Logical Language for Expressing Authorizations
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
The rcl 2000 language for specifying role-based authorization constraints
The rcl 2000 language for specifying role-based authorization constraints
Static analysis of role-based access control in J2EE applications
ACM SIGSOFT Software Engineering Notes
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
Modeling Security Requirements Through Ownership, Permission and Delegation
RE '05 Proceedings of the 13th IEEE International Conference on Requirements Engineering
Runtime recovery and manipulation of software architecture of component-based systems
Automated Software Engineering
Role-Based access control consistency validation
Proceedings of the 2006 international symposium on Software testing and analysis
A fault model and mutation testing of access control policies
Proceedings of the 16th international conference on World Wide Web
When Role Models Have Flaws: Static Validation of Enterprise Security Policies
ICSE '07 Proceedings of the 29th international conference on Software Engineering
An Approach for Specifying Access Control Policy in J2EE Applications
APSEC '07 Proceedings of the 14th Asia-Pacific Software Engineering Conference
Conformance checking of RBAC policy and its implementation
ISPEC'05 Proceedings of the First international conference on Information Security Practice and Experience
Performance prediction of J2EE applications using messaging protocols
CBSE'05 Proceedings of the 8th international conference on Component-Based Software Engineering
Architecture based deployment of large-scale component based systems: the tool and principles
CBSE'05 Proceedings of the 8th international conference on Component-Based Software Engineering
Specification and validation of authorisation constraints using UML and OCL
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Defining and checking deployment contracts for software components
CBSE'06 Proceedings of the 9th international conference on Component-Based Software Engineering
Towards accuracy of role-based access control configurations in component-based systems
Journal of Systems Architecture: the EUROMICRO Journal
Engineering access control policies for provenance-aware systems
Proceedings of the third ACM conference on Data and application security and privacy
| Hi-index | 0.00 |
Access control is a means to achieve information security. When we build large-scale systems based on commercial component middleware platforms, such as those compliant to J2EE, a usual way to enforce access control is to define Access Control Configurations (ACCs) for components in a declarative manner. These ACCs can be enforced by the J2EE security service to grant or deny access requests to components. However, it is difficult for the developers to define correct ACCs according to complex and sometimes ambiguous real-world access control requirements. Faults of ACCs in large-scale J2EE applications may inevitably occur due to various reasons, for example ad hoc mistakes of the developers. This paper identifies three kinds of faults specific to ACCs of J2EE applications as incompleteness, inconsistency, and redundancy, presents validation algorithms for identifying these faults according to access control requirements, illustrates these faults and the validation algorithms with an online bank application.