Marc Hüffmeyer
ABSTRACT
This work introduces RestACL - an access control language for RESTful Services - and compares it with XACML using formal methods. XACML is a generic approach that targets Attribute Based Access Control (ABAC) in general. RestACL is founded on the ideas of the ABAC model, too, but utilizes the concepts of REST enabling a quicker evaluation of access requests. This work gives a brief introduction over the main ideas of RestACL and proves its evidence by giving transformation rules to translate security policies from RestACL to XACML and vice versa. The formalized transformation descriptions show the expressive strength of RestACL, because they demonstrate that any generic ABAC policy written in XACML can be expressed with RestACL, too. The correctness and completeness of RestACL can be proved with the transformation rules, too.
- Extensible Access Control Markup Language (XACML) Version 3.0. Organization for the Advancement of Structured Information Standards (OASIS), 2013.Google Scholar
- N. Ammar, E. Bertino, Z. Malik, and A. Rezgui. XACML Policy Evaluation with Dynamic Context Handling. IEEE Transactions on Knowledge and Data Engineering, Volume 27, 2015.Google ScholarDigital Library
- J. Crampton and C. Morisset. PTaCL: A Language for Attribute-Based Access Control in Open Systems. POST '12 Proceedings of the First International Conference on Principles of Security and Trust, 2012. Google ScholarDigital Library
- T. R. Fielding. Architectural Styles and the Design of Network-based Software Architectures. University of California, Irvine, 2000.Google ScholarDigital Library
- M. Hüffmeyer and U. Schreier. Analysis of an Access Control System for RESTful Services. ICWE '16 - International Conference on Web Engineering, 2016.Google ScholarCross Ref
- M. Hüffmeyer and U. Schreier. RestACL - An Attribute Based Access Control Language for RESTful Services. ABAC '16 - Proceedings of the 1st Workshop on Attribute Based Access Control, 2016. Google ScholarDigital Library
- X. Jin, R. Krishnan, and R. Sandhu. A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. DBSec '12 - Proceedings of the 26th Annual Conference on Data and Applications Security and Privacy, 2012. Google ScholarDigital Library
- A. Liu, F. Chen, J. Hwang, and T. Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. SIGMETRICS '08 - Proceedings of the 2008 ACM International Conference on Measurement and Modeling of Computer Systems, 2008. Google ScholarDigital Library
- M. Masi, R. Pugliese, and F. Tiezzi. Formalisation and Implementation of the XACML Access Control Mechanism. ESSoS '12 Proceedings of the 4th Iinternational Conference on Engineering Secure Software and Systems, 2012. Google ScholarDigital Library
- C. Morisset and N. Zannone. Reduction of Access Control Decisions. SACMAT '14 Proceedings of the 19th ACM Symposium on Access Control Models and Technologies, 2014. Google ScholarDigital Library
- L. Richardson and M. Amundsen. RESTful Web APIs. O'Reilly Media, 2013. Google ScholarDigital Library
- R. Sandhu. The authorization leap from rights to attributes: maturation or chaos? SACMAT '12 - Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, 2012. Google ScholarDigital Library
- J. Webber, S. Parastatidis, and I. Robinson. REST in Practice. O'Reilly Media, 2010.Google Scholar
Index Terms
- Formal Comparison of an Attribute Based Access Control Language for RESTful Services with XACML
Recommendations
A role-based XACML administration and delegation profile and its enforcement architecture
SWS '09: Proceedings of the 2009 ACM workshop on Secure web servicesThe OASIS technical committee published the XACML v3.0 administration and delegation profile (XACML-Admin) working draft on 16 April 2009 [3] in order to provide policy administration and dynamic delegation services to the XACML runtime. We enhance this ...
A network access control approach based on the AAA architecture and authorization attributes
Network access control mechanisms constitute an increasingly needed service, when communications are becoming more and more ubiquitous thanks to some technologies such as wireless networks or Mobile IP. This paper presents a particular scenario where ...
Semantic Attribute-Based Access Control: A review on current status and future perspectives
AbstractAttribute-based access control (ABAC) uses the attributes of the involved entities (i.e., subject, object, action, and environment) to provide access control. Despite various advantages offered by ABAC, it is not the best fit for ...
Comments