%A Thanh Nhan Luong
%A Ninh Thuan Truong
%J International journal of software engineering and knowledge engineering (IJSEKE)
%T VeRA: Verifying RBAC and authorization constraints models of web applications
%X The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers
often use access control techniques to restrict some security breaches to software
systems’ resources. The addition of authorization constraints to the role-based
access control model increases the ability to express access rules in real-world
problems. In this paper, we introduce an approach to reviewing the implementation of these models in web applications written by JavaEE according to the MVC
architecture under the support of the Spring Security framework. The proposed
method helps developers detect flaws in the assignment implementation process
of the models. Firstly, the approach focuses on extracting the information about
users and roles from the database of the web application. We then analyze policy
configuration files to establish the access analysis tree of the system. Next, algorithms are introduced to validate the correctness of implemented user - role and
role - permission assignments in the application system against the role-based access control and authorization constraint specification by the SecureUML model.
Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool has also experimented with a number of access violation
scenarios in the medical record management system.
%D 2020
%L SisLab4095