The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.

Attribute based access control for APIs in Spring security / Armando, A.; Carbone, R.; Chekole, E. G.; Ranise, S.. - (2014), pp. 85-88. ((Intervento presentato al convegno 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014 tenutosi a London, ON, can nel 2014 [10.1145/2613087.2613109].

Attribute based access control for APIs in Spring security

Ranise S.
2014-01-01

Abstract

The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.
Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
1515 BROADWAY, NEW YORK, NY 10036-9998 USA
Association for Computing Machinery
9781450329392
Armando, A.; Carbone, R.; Chekole, E. G.; Ranise, S.
Attribute based access control for APIs in Spring security / Armando, A.; Carbone, R.; Chekole, E. G.; Ranise, S.. - (2014), pp. 85-88. ((Intervento presentato al convegno 19th ACM Symposium on Access Control Models and Technologies, SACMAT 2014 tenutosi a London, ON, can nel 2014 [10.1145/2613087.2613109].
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/333148
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 9
  • ???jsp.display-item.citation.isi??? 7
social impact