{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,24]],"date-time":"2025-10-24T16:28:29Z","timestamp":1761323309390,"version":"3.41.0"},"reference-count":28,"publisher":"Association for Computing Machinery (ACM)","issue":"5","license":[{"start":{"date-parts":[[2004,9,1]],"date-time":"2004-09-01T00:00:00Z","timestamp":1093996800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGSOFT Softw. Eng. Notes"],"published-print":{"date-parts":[[2004,9]]},"abstract":"<jats:p>This work describes a new technique for analysis of Java 2, Enterprise Edition (J2EE) applications. In such applications, Enterprise Java Beans (EJBs) are commonly used to encapsulate the core computations performed on Web servers. Access to EJBs is protected by application servers, according to role-based access control policies that may be created either at development or deployment time. These policies may prohibit some types of users from accessing specific EJB methods.We present a static technique for analyzing J2EE access control policies with respect to security-sensitive fields of EJBs and other server-side objects. Our technique uses points-to analysis to determine which object fields are accessed by which EJB methods, directly or indirectly. Based on this information, J2EE access control policies are analyzed to identify potential inconsistencies that may lead to security holes.<\/jats:p>","DOI":"10.1145\/1022494.1022530","type":"journal-article","created":{"date-parts":[[2004,10,7]],"date-time":"2004-10-07T17:39:09Z","timestamp":1097170749000},"page":"1-10","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":24,"title":["Static analysis of role-based access control in J2EE applications"],"prefix":"10.1145","volume":"29","author":[{"given":"Gleb","family":"Naumovich","sequence":"first","affiliation":[{"name":"Polytechnic University, Brooklyn, NY"}]},{"given":"Paolina","family":"Centonze","sequence":"additional","affiliation":[{"name":"Polytechnic University, Brooklyn, NY"}]}],"member":"320","published-online":{"date-parts":[[2004,9]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Feb.","author":"IIOP","year":"1998","unstructured":"CORBA\/ IIOP 2.2 specification. ftp:\/\/ftp.omg.org\/pub\/docs\/formal\/98-02-01.pdf , Feb. 1998 . CORBA\/IIOP 2.2 specification. ftp:\/\/ftp.omg.org\/pub\/docs\/formal\/98-02-01.pdf, Feb. 1998."},{"key":"e_1_2_1_2_1","first-page":"608","volume-title":"Informatik 2001","volume":"1","author":"Brucker A. D.","year":"2001","unstructured":"A. D. Brucker and B. Wolff . Testing distributed component based systems using UML\/OCL . In Informatik 2001 , volume 1 , pages 608 -- 614 , Nov. 2001 . A. D. Brucker and B. Wolff. Testing distributed component based systems using UML\/OCL. In Informatik 2001, volume 1, pages 608--614, Nov. 2001."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/949305.949339"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/505586.505590"},{"key":"e_1_2_1_5_1","first-page":"554","volume-title":"15th NIST-NCSC National Computer Security Conference","author":"Ferraiolo D.","year":"1992","unstructured":"D. Ferraiolo and R. Kuhn . Role-based access controls . In 15th NIST-NCSC National Computer Security Conference , pages 554 -- 563 , 1992 . D. Ferraiolo and R. Kuhn. Role-based access controls. In 15th NIST-NCSC National Computer Security Conference, pages 554--563, 1992."},{"key":"e_1_2_1_6_1","volume-title":"API Design, and Implementation","author":"Gong L.","year":"1999","unstructured":"L. Gong . Inside Java 2 Platform Security: Architecture , API Design, and Implementation . Addison-Wesley , June 1999 . L. Gong. Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley, June 1999."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.5555\/776816.776836"},{"key":"e_1_2_1_8_1","volume-title":"North-Holland","author":"Hecht M. S.","year":"1977","unstructured":"M. S. Hecht . Flow Analysis of Computer Programs . North-Holland , New York , 1977 . M. S. Hecht. Flow Analysis of Computer Programs. North-Holland, New York, 1977."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/379605.379665"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/505145.505149"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/337180.337616"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/582419.582452"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/352600.352613"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/948109.948122"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/268998.266669"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/566172.566178"},{"key":"e_1_2_1_17_1","unstructured":"Object Management Group. Object constraint language specification chapter 6 of omg unified modeling language specification (draft). http:\/\/www.omg.org\/uml Feb. 2001.  Object Management Group. Object constraint language specification chapter 6 of omg unified modeling language specification (draft). http:\/\/www.omg.org\/uml Feb. 2001."},{"key":"e_1_2_1_18_1","volume-title":"Enterprise Java Security: Building Secure J2EE Applications","author":"Pistoia M.","year":"2004","unstructured":"M. Pistoia , N. Nagaratnam , L. Koved , and A. Nadalin . Enterprise Java Security: Building Secure J2EE Applications . Addison-Wesley , Reading, MA , 2004 . M. Pistoia, N. Nagaratnam, L. Koved, and A. Nadalin. Enterprise Java Security: Building Secure J2EE Applications. Addison-Wesley, Reading, MA, 2004."},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.5555\/381473.381476"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/940071.940107"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/2.485845"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/507711.507714"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2003.1245302"},{"key":"e_1_2_1_24_1","unstructured":"Sun Microsystems. Enterprise javabeans specification v. 2.1. http:\/\/java.sun.com\/products\/ejb\/docs.html.  Sun Microsystems. Enterprise javabeans specification v. 2.1. http:\/\/java.sun.com\/products\/ejb\/docs.html."},{"key":"e_1_2_1_25_1","unstructured":"Sun Microsystems. Java security architecture. http:\/\/java.sun.com\/products\/jdk\/1.2\/docs\/guide\/security\/spec\/security-%specTOC.fm.html 1998.  Sun Microsystems. Java security architecture. http:\/\/java.sun.com\/products\/jdk\/1.2\/docs\/guide\/security\/spec\/security-%specTOC.fm.html 1998."},{"key":"e_1_2_1_26_1","unstructured":"Sun Microsystems. Java remote method invocation specification. http:\/\/java.sun.com\/j2se\/1.4.2\/docs\/guide\/rmi\/spec\/rmiTOC.html 2003.  Sun Microsystems. Java remote method invocation specification. http:\/\/java.sun.com\/j2se\/1.4.2\/docs\/guide\/rmi\/spec\/rmiTOC.html 2003."},{"key":"e_1_2_1_27_1","unstructured":"Sun Microsystems. Java 2 platform enterprise edition (j2ee). http:\/\/java.sun.com\/j2ee\/ 2004.  Sun Microsystems. Java 2 platform enterprise edition (j2ee). http:\/\/java.sun.com\/j2ee\/ 2004."},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/320384.320400"}],"container-title":["ACM SIGSOFT Software Engineering Notes"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1022494.1022530","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1022494.1022530","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T21:41:25Z","timestamp":1750282885000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1022494.1022530"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2004,9]]},"references-count":28,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2004,9]]}},"alternative-id":["10.1145\/1022494.1022530"],"URL":"https:\/\/doi.org\/10.1145\/1022494.1022530","relation":{},"ISSN":["0163-5948"],"issn-type":[{"type":"print","value":"0163-5948"}],"subject":[],"published":{"date-parts":[[2004,9]]},"assertion":[{"value":"2004-09-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}