Creating application security layer based on resource access decision service

Metin M. Ö. , ŞENER C., Göǧebakan Y.

1st International Conference on Security of Information and Networks, SIN 2007, Gazimagusa, Turkey, 7 - 10 May 2007, pp.248-257 identifier

  • Publication Type: Conference Paper / Full Text
  • City: Gazimagusa
  • Country: Turkey
  • Page Numbers: pp.248-257
  • Middle East Technical University Affiliated: Yes


Different solutions have been implemented for different security aspects (access control, application security) of enterprise web applications. However combining "enterprise-level" and "application-level" security aspects in one layer could give great benefits such as reusability, manageability, and scalability. In this paper, we propose adding a new layer to n-tier web application architectures, which use RAD service implementations to execute enterprise and application security policies. Proposed architecture enables applications not only benefit from enterprise-level security policies provided by RAD, but also implements "application-level" security based on RAD services to eliminate web application attacks including but not limited to those based on cross-site scripting, SQL injection, forceful browsing, cookie poisoning, invalid input and most importantly session stealing. © 2008 Atilla Elçi.