Ideally, the enforcement of application-specific policies in an access control service should be untangled from the application logic. The access control services that are provided in state-of-the-art application servers typically fail to support such a separation. Aspect-Oriented Software Development techniques can be used to alleviate such shortcomings. This paper describes the design and implementation of a modular access control service that improves the separation between application logic and access control. The prototype has been implemented in CaesarJ.

OSGi service platform is the core platform of a gateway in the home network. One of the most important issues is security in the home network because the usage scope of the home network is related to a personal living space. However, the solutions related to the security are in their infancy, and if we apply the existing security techniques as they are, security management is not efficient because the properties of OSGi environments are dynamic and open. Nowadays XML is most flexible and undependable language in presenting the data and is being used in diverse fields. Following this trend, several services present their own data using XML in the OSGi service platform environment. To take advantage of this, it is possible to manage the security effectively and extensibly. Hence, in this paper, we suggest an efficient mechanism to solve security issues such as service bundle authentication and authorization using XML security, XML signature and XACML.

OSGi service platform is the core platform of a gateway in the home network. One of the most important issues is security in the home network because the usage scope of the home network is related to a personal living space. However, the solutions related to the security are in their infancy, and if we apply the existing security techniques as they are, security management is not efficient because the properties of OSGi environments are dynamic and open. Nowadays XML is most flexible and undependable language in presenting the data and is being used in diverse fields. Following this trend, several services present their own data using XML in the OSGi service platform environment. To take advantage of this, it is possible to manage the security effectively and extensibly. Hence, in this paper, we suggest an efficient mechanism to solve security issues such as service bundle authentication and authorization using XML security, XML signature and XACML.

Organizations use Role-Based Access Control (RBAC) to protect information resources from unauthorized access. We propose an approach, based on the Unified Modeling Language (UML), that shows how RBAC policies can be systematically incorporated into an application design. We consider an RBAC model to be a pattern which we express using UML diagram templates; RBAC policies for an application conforming to this model can be generated by instantiating these templates with values obtained from the application. The constraints of the RBAC model are expressed using the Object Constraint Language (OCL). OCL constraints, based on first-order logic, are difficult to understand. To alleviate this problem, we show how violation of such constraints can be visually represented using object diagram templates. With adequate tool support, developers can use these to demonstrate constraint violations in their applications. Our approach is illustrated using a small banking application.

Since information is available in digital format, the protection of intellectual property and copyright fraud has become an important issue. This is, because the digital content can be copied without quality loss and with a reasonable effort of time, equipment and money. After copying, it can be distributed using the Internet, again with little effort of time and money. In such an environment, the loss of revenue for the music and film industry -- not only due to sites like Napster -- is becoming so tremendous, that mechanisms as described under the Digital Rights Management become important. In the geospatial domain, Spatial Data Infrastructures emerge that have the potential to provide high quality and up-to-date geographic information. This enables the endeavor of new market potentials and the creation of new business cases. However, the establishment of Digital Rights Management for geographic information is important in the first place. This paper introduces requirements for geospatial Digital Rights Management and illustrates the difference to known requirements for the music industry. The major contribution of this paper is the description of geospatial access control -- named GeoXACML -- as it can possibly be a solution to the authorization requirement for Digital Rights Management in the geospatial domain.

This work describes the declaration and enforcement of geospatial access restrictions for the infrastructure of heterogenous and distributed geospatial information objects, as they are accessible via the service-oriented geospatial data infrastructure (GDI). Assuming a valid XML markup of the objects and their geometry using the Geographic Markup Language (GML), which is an international standard of the Open GIS Consortium, Inc. (OGC), a solution is introduced that allows the declaration and enforcement of access restrictions, encoded in GeoXACML. GeoXACML is a geospatial extension to the OASIS standard eXtensible Access Control Markup Language (XACML). Due to the nature of the introduced restrictions, the declaration of access restrictions can result in different kinds of inconsistencies. This work describes a mechanism for the detection and classification of contrary permissions. This work also describes a prototype implementation and an illustrating demonstration.

Sensitive data are increasingly available on-line through the Web and other distributed protocols. This heightens the need to carefully control access to data. Control means not only preventing the leakage of data but also permitting access to necessary information. Indeed, the same datum is often treated differently depending on context.System designers create policies to express conditions on the access to data. To reduce source clutter and improve maintenance, developers increasingly use domain-specific, declarative languages to express these policies. In turn, administrators need to analyze policies relative to properties, and to understand the effect of policy changes even in the absence of properties.This paper presents Margrave, a software suite for analyzing role-based access-control policies. Margrave includes a verifier that analyzes policies written in the XACML language, translating them into a form of decision-diagram to answer queries. It also provides semantic differencing information between versions of policies. We have implemented these techniques and applied them to policies from a working software application.

The <i>eXtensible Access Control Markup Language</i> (XACML) was proposed by the OASIS committee to be used as a standard language in e-business [6]. However, policy files written in XACML are hard to read and analyse directly. In this paper, we present a tool which generates verified XACML scripts from access control system descriptions in simple but expressive language proposed in [3], which admits algorithmic verification of access control systems against appropriately formalised policies. This allows the generation of XACML scripts for systems that can be formally verified to be implementing the relevant policies.

Authorization systems today are increasingly complex. They span domains of administration, rely on many different authentication sources, and manage permissions that can be as complex as the system itself. Worse still, while there are many standards that define authentication mechanisms, the standards that address authorization are less well defined and tend to work only within homogeneous systems. This paper presents XACML, a standard access control language, as one component of a distributed and inter-operable authorization framework. Several emerging systems which incorporate XACML are discussed. These discussions illustrate how authorization can be deployed in distributed, decentralized systems. Finally, some new and future topics are presented to show where this work is heading and how it will help connect the general components of an authorization system.

The security of a major operating system is investigated, including recently announced security enhancements. Four areas of security which are generally applicable to operating system design are discussed. File system security flaws were discovered, permitting a total system penetration. These flaws are described and improvements are recommended.