relation: https://eprints.uet.vnu.edu.vn/eprints/id/eprint/4095/
title: VeRA: Verifying RBAC and authorization constraints models of web applications
creator: Luong, Thanh Nhan
creator: Truong, Ninh Thuan
subject: ISI-indexed journals
description: The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers  often use access control techniques to restrict some security breaches to software  systems’ resources. The addition of authorization constraints to the role-based  access control model increases the ability to express access rules in real-world  problems. In this paper, we introduce an approach to reviewing the implementation of these models in web applications written by JavaEE according to the MVC  architecture under the support of the Spring Security framework. The proposed  method helps developers detect flaws in the assignment implementation process  of the models. Firstly, the approach focuses on extracting the information about  users and roles from the database of the web application. We then analyze policy  configuration files to establish the access analysis tree of the system. Next, algorithms are introduced to validate the correctness of implemented user - role and  role - permission assignments in the application system against the role-based access control and authorization constraint specification by the SecureUML model.  Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool has also experimented with a number of access violation  scenarios in the medical record management system.
date: 2020
type: Article
type: PeerReviewed
identifier:   Luong, Thanh Nhan and Truong, Ninh Thuan  (2020) VeRA: Verifying RBAC and authorization constraints models of web applications.  International journal of software engineering and knowledge engineering (IJSEKE) .    ISSN 0218-1940    (In Press)