research-article

Attribute based access control for APIs in spring security

Authors:

Alessandro Armando,

Roberto Carbone,

Eyasu Getahun Chekole,

Silvio RaniseAuthors Info & Claims

SACMAT '14: Proceedings of the 19th ACM symposium on Access control models and technologies

Pages 85 - 88

https://doi.org/10.1145/2613087.2613109

Published: 25 June 2014 Publication History

Get Access

Abstract

The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.

References

[1]

A. Armando, R. Carbone, E. G. Chekole, C. Petrazzuolo, A. Ranalli, and S. Ranise. Selective Release of Smart Metering Data in Multi-domain Smart Grids. In 2nd Open EIT ICT Labs Workshop on Smart Grid Security, 2014.

Google Scholar

[2]

X. Jin, R. Krishnan, and R. Sandhu. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In DBSec, number 7371 in LNCS, pages 41--55, 2012.

Digital Library

Google Scholar

[3]

G. Naumovich and P. Centonze. Static Analysis of Role-based Access Control in J2EE Applications. SIGSOFT Softw. Eng. Notes, 29(5):1--10, Sept. 2004.

Digital Library

Google Scholar

[4]

E. Yuan and J. Tong. Attributed Based Access Control (ABAC) for Web Services. In IEEE Int. Conf. on Web Services, ICWS '05, pages 561--569. IEEE Computer Society, 2005.

Digital Library

Google Scholar

Cited By

View all

Varshith HSural SVaidya JAtluri V(2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3299429
Luong TLe HVo DTruong N(2022)A Framework to Verify the ABAC Policies in Web ApplicationsIntelligence of Things: Technologies and Applications10.1007/978-3-031-15063-0_11(124-133)Online publication date: 23-Aug-2022
https://doi.org/10.1007/978-3-031-15063-0_11
Islam MRahaman SMeng NHassanshahi BKrishnan PYao D(2020)Coding Practices and Recommendations of Spring Security for Enterprise Applications2020 IEEE Secure Development (SecDev)10.1109/SecDev45635.2020.00024(49-57)Online publication date: Sep-2020
https://doi.org/10.1109/SecDev45635.2020.00024
Show More Cited By

Index Terms

Attribute based access control for APIs in spring security
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

Mining Positive and Negative Attribute-Based Access Control Policy Rules
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies

Mining access control policies can reduce the burden of adopting more modern access control models by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining ...
Semantic Attribute-Based Access Control: A review on current status and future perspectives
Abstract
Attribute-based access control (ABAC) uses the attributes of the involved entities (i.e., subject, object, action, and environment) to provide access control. Despite various advantages offered by ABAC, it is not the best fit for ...
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control
Foundations and Practice of Security
Abstract
Efforts towards incorporating user-to-user delegation into Attribute-Based Access Control (ABAC) is an emerging new direction in ABAC research. A number of potential strategies for integrating delegation have been proposed in recent literature but ...

Comments

Information & Contributors

Information

Published In

SACMAT '14: Proceedings of the 19th ACM symposium on Access control models and technologies

June 2014

234 pages

ISBN:9781450329392

DOI:10.1145/2613087

General Chair:
Sylvia Osborn
University of Western Ontario, Canada
,
Program Chairs:
Mahesh V. Tripunitara
University of Waterloo, Canada
,
Ian M. Molloy
IBM Research, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 June 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SACMAT '14

Sponsor:

SIGSAC

SACMAT '14: 19th ACM Symposium on Access Control Models and Technologies

June 25 - 27, 2014

Ontario, London, Canada

Acceptance Rates

SACMAT '14 Paper Acceptance Rate 17 of 58 submissions, 29%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
439
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Varshith HSural SVaidya JAtluri V(2024)Efficiently Supporting Attribute-Based Access Control in LinuxIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329942921:4(2012-2026)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3299429
Luong TLe HVo DTruong N(2022)A Framework to Verify the ABAC Policies in Web ApplicationsIntelligence of Things: Technologies and Applications10.1007/978-3-031-15063-0_11(124-133)Online publication date: 23-Aug-2022
https://doi.org/10.1007/978-3-031-15063-0_11
Islam MRahaman SMeng NHassanshahi BKrishnan PYao D(2020)Coding Practices and Recommendations of Spring Security for Enterprise Applications2020 IEEE Secure Development (SecDev)10.1109/SecDev45635.2020.00024(49-57)Online publication date: Sep-2020
https://doi.org/10.1109/SecDev45635.2020.00024
Chekole EHuaqun G(2019)ICS-SEAProceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop10.1145/3372318.3372325(60-69)Online publication date: 10-Dec-2019
https://dl.acm.org/doi/10.1145/3372318.3372325
Luong TVo DTruong N(2019)An approach to analyze software security requirements in ABAC model2019 6th NAFOSTED Conference on Information and Computer Science (NICS)10.1109/NICS48868.2019.9023902(184-189)Online publication date: Dec-2019
https://doi.org/10.1109/NICS48868.2019.9023902
Gorshkova ENovikov BShukla M(2017)A Fine-Grained Access Control Model and ImplementationProceedings of the 18th International Conference on Computer Systems and Technologies10.1145/3134302.3134310(187-194)Online publication date: 23-Jun-2017
https://dl.acm.org/doi/10.1145/3134302.3134310

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Mining Positive and Negative Attribute-Based Access Control Policy Rules

Semantic Attribute-Based Access Control: A review on current status and future perspectives

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control

Comments

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

Login options

Full Access

PDF

eReader

Abstract

References

Cited By

Index Terms

Recommendations

Mining Positive and Negative Attribute-Based Access Control Policy Rules

Semantic Attribute-Based Access Control: A review on current status and future perspectives

Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Get Access

Login options

Full Access

View options

PDF

eReader

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations