SecSES

This tool provides a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies.

The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs.

We applied our tool in scenarios arising in a smart energy eco-system.

Funding: Activity SecSES - Secure Energy Systems, in the context of the EIT ICT Labs activities 2013 (Innovation Area: Smart Energy Systems).

Related Publications

  • Alessandro Armando, Roberto Carbone, Eyasu Getahun Chekole and Silvio Ranise
    Attribute Based Access Control for APIs in Spring Security
    In: 18th ACM Symposium on Access Control Models and Technologies (SACMAT 2014) (DOI, news)

Related Project

  • SecSES (Secure Energy Systems)