2009 Third International Conference on Emerging Security Information, Systems and Technologies
Generation of Role Based Access Control Security Policies
for Java Collaborative Applications
J. Briffaut, X. Kauffmann-Tourkestansky, J.-F. Lalande
ENSI de Bourges, LIFO — EA 4022
88 Bld Lahitolle
18020 Bourges Cedex, France
Email: {jeremy.briffaut,xavier.kauffmann-
[email protected]
tourkestansky,jean-francois.lalande}@ensi-bourges.fr
Abstract—Java collaborative applications are increasingly and
widely used in the form of applets or servlets, as a way to easily
download and execute small programs on one’s computer.
However, security associated with these downloaded
applications, even if it exists, is not easily manageable. Most of
the time, it relies on the user's ability to define a security policy
for his virtual machine, which is undesirable. This paper
proposes to integrate an RBAC mechanism for any Java
application. It introduces a simple tag process that allows the
developer to incorporate the appropriate policy in the source
code of his application. The user is endowed with the ability to
choose a role that corresponds to the required level of trust
required in order for him to embed the policy in the executed
code. A case study of a collaborative application shows how
works the proposed API for managing roles, generating
policies and logging in. At the end, a discussion about the
dynamic enforcement of the generated policies is presented.
Keywords—RBAC; java; collaborative applications
I. INTRODUCTION
This paper deals with the security of a Java application
that a user wishes to execute. The user or several users, in
the case of collaborative applications, are supposed to
execute some codes that they do not trust completely. This
could be a downloaded application or an application that
could endanger the system or its data.
It is assumed that the developer that coded the
application is also responsible of the security policy
associated with the code. Furthermore, we assume that the
user has access to the source code. If not, the proposed
solution may be run by the developer in order to produce the
policy. But to simplify the work, we suppose that the user
has access to the code.
The third role that is considered is the administrator of
the user's computer system. He could be responsible of
installing the software on the user's computer and possibly in
charge of the security policy and maintenance of these
computers. Additionally, the administrator could be in
charge of deploying software for several users, and would
like to provide them different levels of security to execute
the application.
978-0-7695-3668-2/09 $25.00 © 2009 IEEE
DOI 10.1109/SECURWARE.2009.41
Authorized licensed use limited to: Amrita School Of Engineering - Kollam. Downloaded on May 16,2025 at 11:31:51 UTC from IEEE Xplore. Restrictions apply.
W. W. Smari
Electrical and Computer Engineering Department
University of Dayton
Dayton, Ohio 45469 USA
In current Java virtual machines, different security tools
are provided [1-3]. This paper will use the Java
Authentication and Authorization Service (JAAS) module.
Even though this module provides numerous facilities to
control the executed code, this work will show that the use of
JAAS is difficult in real collaborative systems.
This paper is organized as follows. In the next
subsections, we discuss key ideas necessary for the solution
design as well as objectives of this work. Section 2 outlines
the design and implementation of the RBAC based solution.
Section 3 presents the details of how to adapt the solution for
collaborative environments and applications. A case study
that demonstrates how the implementation will work and
what happens in case of permission violation attempts is
described in Section 4. Before concluding the paper in
Section 6, we address another important aspect of code
security: how to dynamically enforce security policies to
limit unnecessary permissions and thus increase application
security.
A. RBAC Access Management
The Role Based Access Control (RBAC) model [4] is
widely used to enforce security between users and objects of
a system. On operating systems, the most well-known
implementations are RSBAC [5], grsecurity [6] and SELinux
[7]. With an RBAC policy, the administrator has to define
roles that have certain permissions on types. These types are
labels that are applied on all objects of the system. The main
drawbacks of the current implementations in modern
operating systems are:
• The administrator has to know precisely how the
software works and what permissions are needed on
system's objects.
• A user cannot change the policy he wishes to apply
to a particular software he wants to use, as the
administrator has already defined the role and the
permissions associated to this role.
These drawbacks and the difficulty to configure
mandatory access control mechanisms are prohibitive for a
user who wants to test untrusted software. A lightweight
solution could consist of using JAAS in order to restrict
permissions at the level of the virtual machine.
224
B. Maintaining the Integrity of the Specifications
When using a java application, a system policy can be
employed to control the virtual machine that executes the
program. However, the user likely has no sufficient
privileges and knowledge to adapt his computer’s system
policy in order to restrict the permissions of the role he uses
to execute the application. This justifies the use of JAAS,
which is the core security component that enables the user to
add permission rules applied by the virtual machine.
The JAAS rules do not use the concept of roles and
types. Rather, permissions are directly assigned to a user
identity on an object of the system. For example, a read
permission on config.txt is made using the following rule:
grant Principal test.JAAS.ExamplePrincipal “user”
{permission java.io.FilePermission "config.txt", "read";}
The consequences are the following:
• The user gains control of the software that he runs.
He can precisely define permissions dealing with
objects the software may target.
• The user must know in advance what is needed by
the software he wishes to run. For example, what
objects are read or written? What socket will be
created on what URI? Is the software allowed to
overwrite the methods used for objects
serialization?
This is really a difficult task for the user that justifies the
need for an automatic generation of the final JAAS policy
with more understandable high level concepts.
To avoid asking the end-user to define the policy, we
propose to delegate to the software developer the ability to
specify the policy rules using special tags in the comments of
the application’s source code. This implies that the end-user
should trust the developer about the correctness of these
rules, since they will generate the final policy that will
control the application. The end-user will still have the
possibility to check and modify the final policy, which is
extracted from the source code, but the goal is to simplify
this task to the end-user and to make the notion of roles
available to him.
If the software is used by multiple users, an administrator
could be in charge of the application’s policy management
for each user [8]. With JAAS current implementation, the
administrator has to define one policy file for each user. This
approach duplicates the rules and requires more work to
maintain those files. Using the notion of roles, already
introduced for java collaborative application in [9, 10], this
paper proposes to aggregate the permissions and to assign a
set of roles to each user. Then, at execution time, the user
will be able to choose his preferred role.
C. Objectives of the Study
The preceding sections lead us to propose the integration
of RBAC in all Java applications and to identify a
conceptual methodology in order to integrate its RBAC
policy. This conceptual methodology must:
225
Authorized licensed use limited to: Amrita School Of Engineering - Kollam. Downloaded on May 16,2025 at 11:31:51 UTC from IEEE Xplore. Restrictions apply.
• give the software developer the ability to define
roles and types and also permissions between the
two.
• provide the end-user the ability to choose a role in
order to obtain the security level he wants the
software to be run at.
The proposed solution will bring an access control API
that automatically:
• deploys the policy into the java application.
• eases the role switching when accessing the
application.
• restricts the given permissions of a given tagged
part of the code using role transitions.
II. RBAC INTEGRATION IN JAVA
A. Developer Facilities
Our goal is to enable the developer to create several sets
of permissions for different roles within his application.
These permissions will then be linked to a role as defined in
the RBAC model. The end-user that downloads this
application will be able to use it with a fine grained set of
restrictions and will not have to choose between executing
the application in admin mode that could endanger his
computer or no execution at all. The developer will have
given him the opportunity to use the Java Security Manager
with a custom policy file in order to safely execute the
application.
In the case of collaborative applications, it would then
fall on to an administrator to manage which role will be
assigned to a user.
B. Tagging Grammar and Syntax
Some information is required to create the policy file.
Only the developer or programmer is able to know what
security level his application might require. Thus, the best
way to accomplish this task is to include within the code
itself the information needed to generate the policy of the
whole software. The location of the information is easy to
incorporate as a Javadoc comment incorporating tags: it is
left at the developer's discretion and is close to the
commented code.
The syntax of the tag should be as clear and simple as
possible meaning that the syntax should be security-oriented
but user-friendly so as to be as easily added by the
developer. Moreover the tag will have to be extracted and
processed which require that the used grammar should be as
generic as possible.
We have therefore chosen to translate the SELinux syntax
into a Java annotation syntax taking into account all the
elements needed to write permissions into a security policy
file.
• The type of permission
• Its name
• Its actions
 From a grammatical point of view, the SELinux syntax
defines that a subject process is allowed to interact with the
permissions precised in <IT> with some objects of the
system:
allow <subject> <IT> <object>
The selected Java annotation syntax for the incorporated
tag is somehow different. We have based ourselves on the
SELinux grammar which is rather natural and user-friendly
but added the type, name and actions of a permission in
order to match the Java security grammar. The syntax of a
security rule is the following:
/**
* @allowIT role {permissions} “objects” */
The following example shows cases of permission tags
where all or only some of the parameters are needed.
/**
* @allowIT Root {all}
* @allowIT User{awt} "accessClipboard"
* @allowIT User{file:(read);file:(write)} "config.txt" */
In this example the root user have all types of possible
permissions. The user role has access to the clipboard object
with awt operations and has also read and write permissions
on the config.txt file.
C. JAAS Policy Generation
Once the permission information has been incorporated
in the application’s code by the developer, it has to be
extracted gathered and processed in order to generate the
policy file. To do so we have chosen to create a parser that
would:
• Locate all customized JavaDoc tags in a Java
source code file.
• Fill a database that will have to be processed.
• Write the policy.
Since the application is likely to consist of several classes
and therefore several Java source code files, the parser will
have to take it into account.
Figure 1 shows the process of extracting tags from a
project and parsing them into a new policy file after a
Figure 1. Parser and File Loader Architecture
226
Authorized licensed use limited to: Amrita School Of Engineering - Kollam. Downloaded on May 16,2025 at 11:31:51 UTC from IEEE Xplore. Restrictions apply.
Figure 2. JAAS Login Module
processing step involving a database. For example, for the
following tags found on functions:
/**
* @allowIT Root {file:(read);file:(write)} "config.txt" */
public void convertConfiguration()
...
/*
* @allowIT Root {file:(read);} "password.txt" */
public void authenticate(String password)
...
The parser will populate the database and produce the
following policy file:
grant Principal test.JAAS.ExamplePrincipal "Root" {
permission java.io.FilePermission "config.txt", "read";
permission java.io.FilePermission "config.txt", "write";
permission java.io.FilePermission "password.txt", "read";};
D. RBAC Integration API
1) Login System : From the perspective that several
users will be using the same application, for example in
collaborative applications, we might want to authenticate
the users and give them a role defined by the developer.
In the implementation, we have considered that a Login
Module would be appropriate. Figure 2 shows the JAAS
Login Module architecture and mechanism. The module
will use JAAS in order to load the right policy in the virtual
machine. When used, the login module will propose to the
user to be assigned to a role. This role will protect his
computer’s resources from the code itself since the access
has been restricted compared to the admin mode.
2) Role Management: The entities that will deal with
role permissions are not only the developer and the users. It
is needed to introduce a supervisor or administrator that will
write a user/role file where the relation between the two will
be expressed.
This administrator can be a user or the developer itself as
long as it does not compromise the security integrity of the
whole architecture. Figure 3 sum-up the generation process
of the user/role file and Figure 4 shows how multiple users
will obtain a role using the JAAS login module in order to
access to the application.

Figure 3. Java Collaborative Application with RBAC Implementation
Figure 4. User File Editor
After having explained how the main modules of our
solution work, the next section shows how to integrate the
solution into a large scale application with the example of a
collaborative Java application. Moreover, the section
presents how RBAC implementation can be used for these
kinds of applications.
III. COLLABORATIVE APPLICATIONS
For Java collaborative applications, dealing with several
users may be a problem. Since there is no way to dispatch
rights between them or to restrict them from using the
application, there is a real security issue. From the
administrative point of view, the solution helps in several
ways:
• It eases the security policy generation;
• It allows sandboxing the application;
• It adds an authentication security level before using
the application;
• Its simplifies the writing of policies for developers.
A. Sandboxing
The parser which is a module from the solution can also
be used from the user end. Provided that the code has been
tagged by the developer, the user will be able to run the
code through the parser which will give him a security
227
Authorized licensed use limited to: Amrita School Of Engineering - Kollam. Downloaded on May 16,2025 at 11:31:51 UTC from IEEE Xplore. Restrictions apply.
policy for the JSM; he will then be able to use the Java
SandBox mechanism in order to execute the code with the
minimal but needed permissions. Figure 5 represents the
sandboxing with a rectangle that contains and isolates the
application.
B. User Authentication
With the proposed solution, the developer will be able to
write a security policy enforced by the JSM that will enable
access restriction for the users. Using the JAAS Login
Module, the user will be authenticated and will obtain one
of the roles before executing the code controlled by JSM.
Figure 5 shows the access of three users to the application
that have to choose a role before being able to execute the
code.
C. Developer Policy Definition
The most noticeable contribution to Java collaborative
applications remains that developers can add security to
their application independently one from the other.
Supposing that two modules of a same application are
developed and tagged separately by two different
developers, the parser can generate a policy file for the
whole application from the source code files of the two
modules. The only restriction is that the developers have to
be coordinated on the name of the roles they use. A solution
could be to impose the developer to use a preset of roles;
nevertheless, he is allowed to create new roles that can be
used by the administrator in order to give special restricted
access.
This coordination could be ensured by the administrator.
The administrator will also be in charge of assigning a
subset of roles for each user of the application. The figure 5
sum-up the administrative aspects of the proposed solution.
In this section, we have presented how can be used the
proposed solution in the case of a collaborative application.
In the next section, a case study will be detailed with the
generated policies and their effect on a standard execution.
Figure 5. Security Solution for Java Collaborative Applications
 IV. A CASE STUDY
This section focuses on a simple example with two roles
used in an application. We shows how works the Login
module in the console and what happens if the user tries to
overcome the permissions of the role.
A. Login Module
Figure 6. Java Test Application Case Study
Figure 6 shows the three steps of a test case application:
the policy file generated with the parser from the tags in the
source code file of the application is loaded into the JSM.
The user then logs in with his username and password and
chooses a role. Users are managed using the User File
Editor. The application then runs with the permissions
associated with the role.
B. Several Users/Roles
The console output of the application will show what
happens when the following permissions are loaded into the
JSM. These permissions come from a specific policy file
that was generated using the parser from our solution.
grant Principal test.JAAS.ExamplePrincipal "Root" {
permission java.io.FilePermission "config.txt", "read";
permission java.io.FilePermission "config.txt", "write";
};
grant Principal test.JAAS.ExamplePrincipal "User" {
permission java.io.FilePermission "config.txt", "read";
};
We obtained the two following cases logging with two
users and choosing different roles. The policy file indicates
that the role rsoot has the right to read and write into the
config.txt text file whereas User only has the right to read it
but not write into it.
The next listing shows the case of a user that logs with
the Root role and is able to read and write into the file
config.txt.
Password linked to the username in the userfile:
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Hash of the inputed password :
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
228
Authorized licensed use limited to: Amrita School Of Engineering - Kollam. Downloaded on May 16,2025 at 11:31:51 UTC from IEEE Xplore. Restrictions apply.
Authentication succeeded!!
Please pick a role:
---- >Root
Role pick succeeded.
Actions done once authenticated..........
The file exists in the current working directory
the file has been read!
The file config.txt was created (write test)!
The next listing shows the case of a user that logs with
the User role. The JSM throws a security exception and the
application is not able to write into the text file.
Password linked to the username in the userfile:
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Hash of the inputed password :
a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
Authentication succeeded!!
Please pick a role :
---- >User
Role pick succeeded.
Actions done once authenticated..........
The file exists in the current working directory
the file has been read!
java.security.AccessControlException: access denied
(java.io.FilePermission config.txt write)
V. DYNAMIC ENFORCEMENT OF POLICIES
The described methodology allows to generate the whole
policy file corresponding to the tags that the developer adds
to the code. Recall the following example:
/**
* @allowIT Root {file:(read);file:(write)} "config.txt" */
public void convertConfiguration()
...
/*
* @allowIT Root {file:(read);} "password.txt" */
public void authenticate(String password)
...
The produced policy file will gives the read and write
access on config.txt and a read access on password.txt.
When enforced in JAAS, any code in the software will be
able to write config.txt. This is because the login module of
the proposed solution loads the policy file associated to the
root role when the user choose this role. This way, the
method authenticate() will obtain the permission to read
password.txt but will also have the permission to write the
file config.txt, which is useless for this method. This
example shows that, when executing a method, there is
more permissions than needed to execute it.
The proposed solution is the following: when a method
is executed, a special policy has to be loaded in the JAAS
module. This policy corresponds exactly to the policy
tagged by the developer. If the methods
convertConfiguration() calls the method authenticate(),
when authenticate() is executed, the code have to unload the
current policy of JAAS (the policy for
convertConfiguration()), then load the policy for
authenticate() giving only the permission of reading
password.txt. Then, when authenticate() finishes and returns
to convertConfiguration(), the policy corresponding to this
function have to be reloaded.
In order to achieve this mechanism, the code of the
application has to be patched at each entry and exit point of
the functions that have special policy tags. Each role can be
declined into subroles that have only a subset of permission.
In this example, the root role is derivated in:
• root_convertConfiguration, that has read and write
permissions on config.txt.
• root_authenticate that has only read permission on
password.txt.
The introduced patch just automatically change of role
from root to root_convertConfig when entering the
convertConfig() method. This process is really similar to
dynamic and automatic transition in SELinux. It can be
achieved as shown in the following listing:
/**
* @allowIT Root {file:(read);file:(write)} "config.txt" */
public void convertConfiguration() {
RBAC.loadPolicy("root_convertConfiguration");
RBAC.unloadPolicy("root_convertConfiguration");
} Edition, Prentice Hall, O’Reilly & Associates, Inc., Sebastopol,
/*
* @allowIT Root {file:(read);} "password.txt" */
public void authenticate(String password) {
RBAC.loadPolicy("root_authenticate");
RBAC.unloadPolicy("oot_authenticate");
} 'Generalized Framework For Access Control' Approach In Linux.
This approach increases drastically the security of the
code: if a bug or an attack succeeds in interfering with that
application during the execution of the authenticate()
method, the perturbation is unable to access the config.txt. It
guarantees that each method has no more than the necessary
permissions.
VI. CONCLUSION
This paper discussed the possibility of increasing the
security of Java based collaborative applications using role
based policies. More specifically, it presented the
introduction of RBAC model as a security solution in any
collaborative Java application. The implementation allows a
229
Authorized licensed use limited to: Amrita School Of Engineering - Kollam. Downloaded on May 16,2025 at 11:31:51 UTC from IEEE Xplore. Restrictions apply.
user to choose a role in order to obtain the required level of
trust required so that he is able to insert the security policy
in the application. The policy is automatically generated
from the user perspective and a methodology that allows for
the dynamic enforcement of the policy for each method of
the code was also presented. A case study and examples
show that this approach does provide a more robust security
measure for Java based collaborative applications.
The next challenges for this work are several. First, how
to make it possible for the user to analyze the policy
implemented by the developer. For example, a “malicious”
developer could propose a permission that is not really
needed by the code, hence weakening the security.
Moreover, a standard policy elaborated by the user could be
compared to the policy written by the developer. The
comparison could help the user to decide whether the
developer's policy is similar or totally different. This could
provide vital indication to the user about the level of trust he
can associate to the policy's developer.
REFERENCES
[1] S. Oaks, “Java Security”, 2nd Edition, O’Reilly & Associates, Inc.,
Sebastopol, California, USA, 1998.
[2] Sun Microsystems, Inc., “Java security overview”, White Paper, April
2005, Santa Clara, California, USA.
[3] L. Gong, G. Ellison, and M. Dageforde, “Inside Java™ 2 Platform
Security: Architecture, API Design, and Implementation”, 2nd
California, USA, 2005.
[4] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, “Role-
based Access Control Models. IEEE Computer”, 29(2) : 3847, 1996.
[5] A. Ott, “Rule Set Based Access Control as Proposed in the
Master Thesis, Universität Hamburg, 1997.
[6] B. Spengler, “Detection, Prevention, and Containment : A study of
Grsecurity”, in Libre Software Meeting 2002 (LSM2002), Bordeaux,
France, 2002.
[7] R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen and J.
Lepreau, “The Flask Security Architecture : System Support for
Diverse Security Policies”. Proceedings of The Eighth USENIX
Security Symposium, Washington, D.C., USA, 1999, pp. 123-129.
[8] M-Tech Identity Management, “Beyond Roles: A Practical Approach
to Enterprise User Provisioning”, White Paper, 2006.
[9] H. Shen and P. Dewan, “Access control for collaborative
environments”, In Proceedings of the ACM Conference on
Computer-Supported Cooperative Work, Toronto, Ontario, Canada,
1992.
[10] W.K. Edwards, “Policies and roles in collaborative applications”, in
Proceedings of the 1996 ACM Conference on Computer Supported
Cooperative Work, Boston, Massachusetts, United States, 1996.