Model Driven Secure Web Applications

Model driven security (MDS) is a well known approach in the access control domain. It proposes a security-by-design approach intended to link the encoded policy to the security policy modeling. However, this technique does not tie in the specificity and heterogeneity of web applications and hence the proposed model-to-code transformation doesn't fit the needs of web architects. Consequently, web applications are mainly hand-coded, or correspond to legacy code developed before the implementation of security mechanisms. Security concerns are mixed with the application code and hence it is difficult to understand the policy in order to maintain, correct, or evolve it. This work deals with access control mechanisms following the RBAC pattern. Our work proposes a toolset dedicated to modeling and deployment of an acces control engine for a web application assuming that the functional part of the application is developed following a classical process. Our technique tries to reconcile modeling, validation and implementation of role-based security policies, and favours model driven security in the context of web applications. The toolset allows developers to graphically model an MVC web application by making links to its requirements and then generates a security filter from the web application's model. This technique guaranties that the deployed access control policy is conformant to its specification and associated validation activities.