1 / 25

Injecting RBAC to Secure a Web-based Workflow System

Injecting RBAC to Secure a Web-based Workflow System. Gail-Joon Ahn and Ravi Sandhu George Mason University Myong Kang and Joon Park Naval Research Laboratory. WORKFLOW MANAGEMENT SYSTEMS. Control and coordinate processes that may be processed by different processing entities

ron
Download Presentation

Injecting RBAC to Secure a Web-based Workflow System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Injecting RBAC to Secure a Web-based Workflow System Gail-Joon Ahn and Ravi Sandhu George Mason University Myong Kang and Joon Park Naval Research Laboratory

  2. WORKFLOW MANAGEMENT SYSTEMS • Control and coordinate processes that may be processed by different processing entities • Received much attention • Marriage with Web technology • Minimal security services

  3. RELATED WORKS • D. Hollingsworth, 1995 • Peter J. Denning, 1996 • Johann Eder et el., 1997 (Panta Rhei) • J. Miller et al., 1998 (METEOR) • Myong H. Kang et al., 1999 • Wei-Kuang Huang and Vijay Atluri, 1999

  4. OBJECTIVE • Inject role-based access control (RBAC) into an existing web-based workflow system

  5. WHY RBAC? • A mechanism which allows and promotes an organization-specific access control policy based on roles • Has become widely accepted as the proven technology

  6. SIMPLIFIED RBAC MODEL RH PA UA ROLES PERMISSIONS USERS

  7. ROLE-BASED SECURE WORKFLOW SYSTEM • Workflow Design Tool • Workflow (WF) System • Role Server

  8. Role Server user-role assignment role-hierarchy user-role DB Certificate server client client HTTP role-hierarchy T2-1 T1 T3 CORBA IIOP role-task assignment T2-2 NRL design tool BASIC COMPONENTS WF system

  9. ARCHITECTURES • USER-PULL STYLE • SERVER-PULL STYLE

  10. USER-PULL STYLE Authentication information User-role assignment user-role DB role-hierarchy client Certificate server Authorization information Role Server Role-hierarchy role-hierarchy T2-1 T1 T3 role-task assignment Workflow enforcement information T2-2 WF design tool WF system

  11. SERVER-PULL STYLE User-role assignment role-hierarchy user-role DB client Certificate server Role Server Authentication information Role-hierarchy Authorization information role-hierarchy T2-1 T1 T3 Workflow enforcement information role-task assignment T2-2 WF design tool WF system

  12. NRL (Naval Research Lab.)DESIGN TOOL • design workflow model • create role and role hierarchies • assign role to task • exporting role hierarchies to role server

  13. NRL DESIGN TOOL (Cont’d) <?xml version="1.0"?> <!--URA Revision: 1 Mon Dec 07 15:59:28 EDT 1999--> <!DOCTYPE Organization SYSTEM "../dtd/Organization.dtd"> <Organization id="Organization_URA"> <Name>URA</Name> <Description></Description> <Role id="director"> <Name>director</Name> <Description></Description> <Privileges></Privileges> <LowRoleList> <RoleReference> <Link idref = "pl1"/> </RoleReference> <RoleReference> <Link idref = "pl2"/> </RoleReference> </LowRoleList> <HighRoleList> </HighRoleList> </Role> <RoleReference> Organization Editor Platform: Windows NT, JDK1.2

  14. WORKFLOW SYSTEM • each task server is web server • user should present client authentication certificate • user’s privilege is authorized by content of certificate (specially client’s role information)

  15. ROLE AUTHORIZATIONON WORKFLOW SYSTEM 1. access the resource Task Server (Web Server) 4. display resource 2.1 get client certificate 2.2 retrieve role information 2.3 check authorization status 3. read resource resources client

  16. ROLE SERVER • User Role Assignment • Certificate Server

  17. USER ROLE ASSIGNMENT • maintain role hierarchies and user database • assign users to roles • generate user-role database

  18. USER ROLE ASSIGNMENT (Cont’d) Converted Role Hierarchy File User-Role DB Alice : director Bob : engineer Chris : pro-leader

  19. CERTIFICATE SERVER • authenticate client • retrieve client’s role information from user-role database • issue certificate with client’s role information

  20. X.509 CERTIFICATE Public Key Serial number : seu89084jdys Validity : 01011999 -01012000 Subject/Name/Organization Common Name = Gail J. Ahn Organization Unit = staff .. Public key: 1e354276ssfatew76585098327 djkfh9974-72ks78610092wef3 --------------------------------------- Singed By : List, GMU kljsuytoj09874875919jdj284jds 4djso475-28ejd7-18re0875757 Private Key Role Information Certificate Authority

  21. CERTIFICATE ISSUE

  22. server certificate client certificate Role authorization Task Server client SSL connection CERTIFICATEAUTHORIZATION OVER SSL

  23. REVERSE PROXYING(MINIMAL CHANGES IN SERVER SIDE) Task Server Proxy Server client SSL connection Send modified request Request resource Send resource Forward resource task.html http://a.com/task.html task.html http://b.com/task.html

  24. IP checking Step 6 FINAL SCENARIO Certificate Server Step 1 Step 4 Step 2 Step 3 client Role Server SSL Step 5 Task Server Proxy Server

  25. CONCLUSION • Model-driven experimental research • Develop and motivate the model first • Then implement on COTS platforms • OM-AM Approach • Objective • Model • Architecture • Mechanism • Funded by Naval Research Lab

More Related