Roles-based Access Control Modeling and Testing for Web Applications

Abstract

Web applications are widely used in people's everyday life. They have permeated financial sectors, banking sectors, e-business and online shopping. Usually, different users have different permissions on these applications. Additionally, role-based access control (RBAC) mechanisms have been wildly integrated into web applications. The security and correctness of web applications are the most fundamental, crucial aspects to the success of business and organizations. In existing research work on modeling of RBAC, the user's roles and permissions are fixed and static, and do not consider that with the evolution and running of the system, the roles and permissions are dynamic. To the best of our knowledge, research work on role-based access control modeling and testing for web application has been seldom done. In this paper, taking the dynamic feature of roles and permissions into account, we propose an approach to modeling and testing web applications with role-based access control. We give out an algorithm to capture and compute the dynamicity of roles and permissions in running time. The FSM is employed to model the behavior of web applications, and then the augmented FSM (AFSM) is plied as a tool to model role-based access control. Finally, using the construction algorithm, the tests are generated automatically which satisfy the corresponding test coverage criteria.