Title: Scenario Based Access Control Model Implemented in J2EE with AspectOriented Software Development
1Scenario Based Access Control Model Implemented
in J2EE with Aspect-Oriented Software Development
- Captain Jason Furlong
- Department of Electrical and Computer Engineering
2Proposal
3Goal
- Outline my thesis proposal and discuss the
following items - The Java 2 Enterprise Edition (J2EE) environment
- Aspect-Oriented Software Development techniques
- Implementing a Scenario Based Access Control
Model
4Java 2 Enterprise Edition
Client
- Standard for multitier enterprise applications
- Designed to encourage a Java based software
component industry - Abstracts details of application behaviour such
as multithreading and persistence
Presentation
Logic
5AOSD Aspect Oriented Software Development
- An alternative development philosophy that
provides an Advanced Separation of Concerns - Identify Crosscutting concerns early in
development process - Permits code weaving so that crosscutting
concerns can be independently developed
6Scenario Based Access Control(SBAC)
- Provides a deterministic OO solution to access
control - Designed to mirror the workflow processes of an
enterprise employee - Permissions are allocated on a pre-scripted
Scenario
7Java 2 Enterprise Edition
8Middleware Systems
- The workflow process is best applied to a
middleware platform - Relates to a Business Model
- Hides complexity through abstraction
- Example Database Connectivity and transactions
- 3 prominent middleware platforms
- CORBA (Object Management Group)
- .net (Microsoft)
- J2EE (Sun Java)
9J2EE Model
4 Tier Model
Client
Client Layer
Web Server
Presentation
Business Logic
Logic
Data
10Aspect Oriented Software Development
11The Crosscutting Problem
- Crosscutting Code
- Code that is particular to the same concern but
is spread across several modules - Security is a Crosscutting Concern
- Difficult to consistently apply standards and
policies to Concerns that are scattered and
tangled
12Code is not modularized
- logging in org.apache.tomcat
- red shows lines of code that handle logging
- not in just one place
- not even in a small number of places
www.AspectJ.org
13Aspect Oriented Software Development
- An advanced Separation of Concerns
- Addresses Crosscutting concerns in 4 processes
- Identification
- Separation
- representation
- composition
- Permits the development and extension of
orthogonal concerns
14Orthogonal Design Requirements
Basic Functionality
Logging
Security
15Superimposition of Multiple Abstraction Models
Basic Functionality
Logging
Security
16Aspect-Oriented Software Development
- Applies to the whole software process
- Best used with an Aspect-Oriented Language
- HyperJ
- AspectJ
- ComposeJ
17Benefits of AOSD
- Comprehensibility
- Modularity
- Reusability
- Better Separation of Concerns
- Decomposability
18Why SBAC?
19Defining the Problem
.
20Scenario Based Access Control(SBAC)
- Based on the observability of Objects
- Assumes that the availability of an Object and
the methods that can be invoked will change
according to a scenario hence a temporal variance
in the permission set - In following a Scenario, the model is
deterministic in satisfying a Safety Analysis - The Scenario is supposed to mimic the workflow of
an enterprise employee
21SBAC uses Objects
22Collaboration
23Solution
- Using an EJB Reference Monitor
24J2EE
Client
Client
Web Server
Business Logic
25Reference Monitor
Client
Client
Web Server
Business Logic
Reference Monitor
26Presenting the Information
- Permitted Observability of objects changes as the
scenario expands - Permissions available to user is highly dynamic
they are given and taken away with each step in
the scenario. - Model-View-Controller Pattern solves the
presentation problem
27Model-View-Controller
28JavaServer Faces
- Open-source project originally called Struts
- Web server Model-View-Controller
- View JavaServer Pages
- Model Enterprise JavaBeans
- Controller Java Servlets
- Allows for dynamic generation of user interface
using HTML
J2EE
29JavaServer Faces
Client
Web Server
Business Logic
30Tentative Plan
Client
Web Server
Business Logic
Model
31My Goals
- Create a reusable framework for the J2EE
environment - Incorporate AOSD through all phases of the
project - Establish the foundation of an SBAC Scenario
Library for Security Engineers
32Summary
- Java 2 Enterprise Edition
- Aspect Oriented Software Development
- Scenario Based Access Control Model
- JavaServer Faces (Model-View-Controller Pattern)
33Questions
??????????????????????????????
??????????????????????????????
??????????????????????????????
- ??????????????????????????????
34J2EE
- Built in support for transactions
- Java has most developed collection of AOP
languages - Open Design
- Less complicated design than CORBA
- Strong community support
35J2EE
4 Tier Model
36Enterprise JavaBeans
- Software Component that is pooled in a J2EE
container - Implements business logic
37Concern Matrix
Workspace Roles
Concurrency
Persistence
Requirement/Viewpoint