An Aspect-Oriented Approach to Privacy-Aware Access Control

10.29614/DRMM.200801.0007

Kung Chen；Da-Wei Wang

Privacy-aware access control ； aspect-oriented programming

資訊安全通訊

14卷1期（2008 / 01 / 01）

114 - 129

英文

This paper concerns the problem of enhancing enterprise applications with a modular mechanism for enforcing privacy policies on personal data. We propose to use aspect-oriented programming and address the involved issues from the perspective of extending fine-grained access control with privacy concerns. An aspect framework for enforcing access control in Struts-based Web applications is extended with fine-grained privacy protection mechanisms that make the access control aspects privacy aware. The proposed mechanisms are loosely coupled with the underlying application. It is thus easy to adapt them and employ them to migrate existing applications.

1. Enterprise Privacy Authorization Language (EPAL 1.2)
2. The Apache Struts Web Application Framework
3. C. A. Ardagna,E. Damiani,M. Cremonini,S. De Capitani,di Vimercati,P. Samarati(2005).The Architecture of a Privacy-aware Access Control Decision Component.Proc. of the Construction and Analysis of Safe, Secure and Interoperable Smart devices (CASSIS`05).
4. C. Vanden Berghe,M. Schunter(2006).Privacy Injector-Automated Privacy Enforcement Through Aspects.Proc. of Privacy Enhancing Technologies 2006,99-117.
5. E. Hilsdale,J. Hugunin(2004).Advice Weaving in AspectJ.Proceedings of the 3rd International Conference on Aspect-Oriented Software Development,Lancaster UK:
6. G. Karjoth,M. Schunter,M. Waidner(2004).Privacy-enabled Management of Customer Data.IEEE Data Eng. Bull,27(1),3-9.
7. G. Kiczales,E. Hilsdale,J. Hugunin,M. Kersten,J. Palm,W. Griswold(2001).Getting Started with AspectJ.Communications of ACM,44,59-65.
8. G. Kiczales,J. Lamping,A. Menhdhekar,C. Maeda,C. Lopes,JM. Loingtier,J. Irwin(1997).European Conference on Object-Oriented Programming.Lecture Notes in Computer Science.
9. K. Chen,C. M. Huang(2006).A Practical Aspect Framework for Enforcing Fine-Grained Access Control in Web Applications.Proc. of First Information Security Practice and Experience Conference (ISPEC 2005)
10. K. Chen,C.W. Lin(2006).APWeb 2006.Springer-Verlag.
11. M. Casassa Mont(2004).Dealing with Privacy Obligations in Enterprises.HP Labs Technical Report, HPL-2004-109.
12. M. Casassa Mont,R. Thyne,P. Bramhall(2005).Privacy Enforcement with HP Select Access for Regulatory Compliance.HP Labs Technical Report, HPL-2005-10.
13. M. Schunter,P. Ashley(2002).2nd Workshop on Privacy Enhancing Technologies, Lecture Notes in Computer Science.Springer Verlag.
14. S. Hanenberg,A. Schmidmeier(2003).Idioms for Building Software Frameworks in AspectJ.2nd AOSD Workshop on Aspects, Components, and Patterns for Infrastructure Software (ACP4IS).