Distributed and typed role-based access control mechanisms driven by CRUD expressions
Autor(a) principal: | |
---|---|
Data de Publicação: | 2014 |
Outros Autores: | , |
Tipo de documento: | Artigo |
Idioma: | eng |
Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
Texto Completo: | http://hdl.handle.net/10773/12831 |
Resumo: | Business logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC. |
id |
RCAP_45e2dd7f9410969b61687b58fb82406b |
---|---|
oai_identifier_str |
oai:ria.ua.pt:10773/12831 |
network_acronym_str |
RCAP |
network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository_id_str |
7160 |
spelling |
Distributed and typed role-based access control mechanisms driven by CRUD expressionsRBACAccess controlInformation securitySoftware architectureMiddlewareDistributed systemsRelational databasesBusiness logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC.ORB - Academic Publisher2014-11-17T09:45:45Z2014-10-30T00:00:00Z2014-10-30info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articleapplication/pdfhttp://hdl.handle.net/10773/12831eng2336-0984Pereira, Óscar MortáguaRegateiro, DiogoAguiar, Rui L.info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-05-06T03:51:33Zoai:ria.ua.pt:10773/12831Portal AgregadorONGhttps://www.rcaap.pt/oai/openairemluisa.alvim@gmail.comopendoar:71602024-05-06T03:51:33Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
dc.title.none.fl_str_mv |
Distributed and typed role-based access control mechanisms driven by CRUD expressions |
title |
Distributed and typed role-based access control mechanisms driven by CRUD expressions |
spellingShingle |
Distributed and typed role-based access control mechanisms driven by CRUD expressions Pereira, Óscar Mortágua RBAC Access control Information security Software architecture Middleware Distributed systems Relational databases |
title_short |
Distributed and typed role-based access control mechanisms driven by CRUD expressions |
title_full |
Distributed and typed role-based access control mechanisms driven by CRUD expressions |
title_fullStr |
Distributed and typed role-based access control mechanisms driven by CRUD expressions |
title_full_unstemmed |
Distributed and typed role-based access control mechanisms driven by CRUD expressions |
title_sort |
Distributed and typed role-based access control mechanisms driven by CRUD expressions |
author |
Pereira, Óscar Mortágua |
author_facet |
Pereira, Óscar Mortágua Regateiro, Diogo Aguiar, Rui L. |
author_role |
author |
author2 |
Regateiro, Diogo Aguiar, Rui L. |
author2_role |
author author |
dc.contributor.author.fl_str_mv |
Pereira, Óscar Mortágua Regateiro, Diogo Aguiar, Rui L. |
dc.subject.por.fl_str_mv |
RBAC Access control Information security Software architecture Middleware Distributed systems Relational databases |
topic |
RBAC Access control Information security Software architecture Middleware Distributed systems Relational databases |
description |
Business logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC. |
publishDate |
2014 |
dc.date.none.fl_str_mv |
2014-11-17T09:45:45Z 2014-10-30T00:00:00Z 2014-10-30 |
dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/article |
format |
article |
status_str |
publishedVersion |
dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/10773/12831 |
url |
http://hdl.handle.net/10773/12831 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.relation.none.fl_str_mv |
2336-0984 |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.publisher.none.fl_str_mv |
ORB - Academic Publisher |
publisher.none.fl_str_mv |
ORB - Academic Publisher |
dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
instacron_str |
RCAAP |
institution |
RCAAP |
reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
repository.mail.fl_str_mv |
mluisa.alvim@gmail.com |
_version_ |
1817543521798717440 |