A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications

Abstract: Abstract. Access control is a system-wide concern that has both a generic nature and an application dependent characteristic. It is generic as many functions must be protected with restricted access, yet the rule to grant a request is highly dependent on the application state. Hence it is common to see the code for implementing access control scattered over the system and tangled with the functional code, making the system difficult to maintain. This paper addresses this issue for Web applications by presentin… Show more

“…However, the per instance interception mechanism we adopted from AspectWerkz (Version 2.0) is an ad-hoc combination of the two features that is barely able to meet our requirements. We now discuss the specific issues of AspectWerkz we encountered in our study 1 . 1 The same issues also apply to JBoss AOP 1.3.…”

“…We now discuss the specific issues of AspectWerkz we encountered in our study 1 . 1 The same issues also apply to JBoss AOP 1.3.…”

“…Our previous work [1] [2] has demonstrated the feasibility of using AOP to implement fine-grained access control for Struts-based Web applications [3]. Here we extend this line of study to include delegation of access rights, such as roles and permissions.…”

“…All user action classes must inherit from the class Action and implement an execute method with a specific signature. As discussed in [1], the execute method of a user action class is the right target for weaving access control aspects. While these aspects share a common code structure, their specific coding details will not be the same because the access constraints of each action class may be different.…”

“…Since our delegation scheme is based on our previous work of access control [1][2], before presenting the dynamic aspects for delegation, we shall briefly review our approach to implementing access control using static aspects. Besides, we shall also briefly describe the relevant features of AspectWerkz when we present the aspect codes.…”

Using dynamic aspects for delegating fine-grained access rights

“…However, the per instance interception mechanism we adopted from AspectWerkz (Version 2.0) is an ad-hoc combination of the two features that is barely able to meet our requirements. We now discuss the specific issues of AspectWerkz we encountered in our study 1 . 1 The same issues also apply to JBoss AOP 1.3.…”

“…We now discuss the specific issues of AspectWerkz we encountered in our study 1 . 1 The same issues also apply to JBoss AOP 1.3.…”

“…Our previous work [1] [2] has demonstrated the feasibility of using AOP to implement fine-grained access control for Struts-based Web applications [3]. Here we extend this line of study to include delegation of access rights, such as roles and permissions.…”

“…All user action classes must inherit from the class Action and implement an execute method with a specific signature. As discussed in [1], the execute method of a user action class is the right target for weaving access control aspects. While these aspects share a common code structure, their specific coding details will not be the same because the access constraints of each action class may be different.…”

“…Since our delegation scheme is based on our previous work of access control [1][2], before presenting the dynamic aspects for delegation, we shall briefly review our approach to implementing access control using static aspects. Besides, we shall also briefly describe the relevant features of AspectWerkz when we present the aspect codes.…”

Using dynamic aspects for delegating fine-grained access rights

An Aspect-Oriented Approach to Declarative Access Control for Web Applications

Fine-Grained Role- and Attribute-Based Access Control for Web Applications