Access Control in Rich Domain Model Web Applications

João de Albuquerque Penha

Key information

Authors:

João de Albuquerque Penha (João de Albuquerque Penha Pereira)

Supervisors:

Carlos Nuno da Cruz Ribeiro (Carlos Nuno da Cruz Ribeiro); João Manuel Pinheiro Cachopo (João Manuel Pinheiro Cachopo)

Published in

11/10/2010

Abstract

Information systems are becoming more and more ubiquitous in people's daily life. However, their development process remains rather ad-hoc. To improve this process several approaches are being explored such as the Domain-Driven Design (DDD). DDD concentrates on the domain of a system and strongly supports that complex domains should be based on a model, describing all its relevant entities and the relationships between them. DDD tries to leverage on all the advantages of the object-oriented paradigm, leading to a domain model whose entities contain both data and behavior. To such a model we call Rich Domain Model (RDM). RDM web applications present a serious challenge in the security and access control area. Policy Specification Languages are Domain Specific Languages designed specifically to define and express a policy of a system. The Domain Model Authorization Policy Language (DMAPL) is a Policy Specification Language which aims specifically at the expression and management of access control policies in RDM Web applications. It is inserted in a wider framework, the DMAPL framework, which also contains a model and a runtime engine. In this dissertation, I completed the development of the DMAPL framework, and integrated it with the Fénix Framework creating an access control plugin. This allowed me to implement and test the DMAPL framework in a real RDM web application, the FeaRS (Feature Request System). Moreover, I introduced a new type of access control rule to enable the DMAPL framework to express access control at the domain level.