Alessandro Armando
ABSTRACT
The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.
- A. Armando, R. Carbone, E. G. Chekole, C. Petrazzuolo, A. Ranalli, and S. Ranise. Selective Release of Smart Metering Data in Multi-domain Smart Grids. In 2nd Open EIT ICT Labs Workshop on Smart Grid Security, 2014.Google Scholar
- X. Jin, R. Krishnan, and R. Sandhu. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In DBSec, number 7371 in LNCS, pages 41--55, 2012. Google ScholarDigital Library
- G. Naumovich and P. Centonze. Static Analysis of Role-based Access Control in J2EE Applications. SIGSOFT Softw. Eng. Notes, 29(5):1--10, Sept. 2004. Google ScholarDigital Library
- E. Yuan and J. Tong. Attributed Based Access Control (ABAC) for Web Services. In IEEE Int. Conf. on Web Services, ICWS '05, pages 561--569. IEEE Computer Society, 2005. Google ScholarDigital Library
Index Terms
- Attribute based access control for APIs in spring security
Recommendations
Mining Positive and Negative Attribute-Based Access Control Policy Rules
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesMining access control policies can reduce the burden of adopting more modern access control models by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining ...
Semantic Attribute-Based Access Control: A review on current status and future perspectives
AbstractAttribute-based access control (ABAC) uses the attributes of the involved entities (i.e., subject, object, action, and environment) to provide access control. Despite various advantages offered by ABAC, it is not the best fit for ...
Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control
Foundations and Practice of SecurityAbstractEfforts towards incorporating user-to-user delegation into Attribute-Based Access Control (ABAC) is an emerging new direction in ABAC research. A number of potential strategies for integrating delegation have been proposed in recent literature but ...
Comments