The implementation of role-based access control on the Web

Abstract

Role-based access control (RBAC) is a promising technology for managing and enforcing security in large-scale enterprise-wide system. We were motivated by the need to manage and enforce the strong access control technology of RBAC in large-scale Web environments. Majority of traditional access control models were passive data-protections, which were not suitable for large and complex multi-user interactive applications. In this paper, we develop a general model to control users' behaviors based on their roles actively. In the model, users' behavior specifications are built on their roles. Role-playing is introduced to denote activated role in particular context. Role-playing is modeled as an active class, and its object interacts with user and controls user's behaviors actively. Cookies can be used to support RBAC on the Web, holding users' role information. However, it is insecure to store and transmit sensitive information in cookies. Cookies are stored and transmitted in clear text, which is readable and easily forged. In this paper, we describe an implementation of role-based access control on the Web by secure cookies.