PEP4Django - A Policy Enforcement Point for Python Web Applications

Traditionally, access control mechanisms have been hard-coded into application components. Such approach is error-prone, mixing business logic with access control concerns, and affecting the flexibility of security policies, as is the case with IFRN SUAP Django-based system. The externalization of access control rules allows their decoupling from business logic, through the use of authorization servers where access control policies are stored and queried for computing access decisions. In this context, this paper presents an approach that allows a Django Web application to delegate access control decisions to an external authorization server. The approach has been integrated into an enterprise level system, which has been used for experimentation. The results obtained indicate a negligible overhead, while allowing the modification of access control policies without interrupting the system

Supporting the Self-adaptation of Authorization Infrastructures

Insiders pose a great threat to organizations due to their capacity of exploiting privileged access for inappropriate gain. Traditional access control solutions are not able to deal with insiders, and some solutions apply concepts of self-adaptation to handle such problems. Existing work has been focused on detecting or how to respond to a detected insider. However, in order to allow the dynamic adaptation of access control policies, it is necessary to clearly specify what modification actions can be applied to a policy. Such actions can then be used for the definition of adaptation plans. Thus, this paper describes a generic Application Programming Interface (API) for manipulating access control policy based on Attribute-Based Access Control (ABAC). Our API follows a functional specification of ABAC, and aims to abstract away implementation details of access control engines, providing an effector that can be integrated into a self-adaptation approach