Reference : Refactoring Access Control Policies for Performance Improvement
Scientific congresses, symposiums and conference proceedings : Paper published in a journal
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/26433
Refactoring Access Control Policies for Performance Improvement
English
Elkateb, Donia [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) > ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)]
Mouelhi, Tejeddine mailto [North Carolina State University, USA]
Le Traon, Yves mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Hwang, Jeehyun [> >]
Xie, Tao [> >]
2012
Proceedings of the 3rd ACM/SPEC International Conference on Performance Engineering (ICPE 2012)
100-110
Yes
International
the 3rd ACM/SPEC International Conference on Performance Engineering (ICPE 2012)
21-25 April 2012
Boston
MA
[en] Access control ; EXtensible access control markup language ; Performance ; Policy decision point ; Policy enforcement point ; Refactoring
[en] In order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of reallife Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria. Copyright 2012 ACM.
http://hdl.handle.net/10993/26433

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
Refactoring Access Control Policies.pdfPublisher postprint940.32 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.