l17 - CS 290C: Formal Models for Web Software Lecture 17:...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
CS 290C: Formal Models for Web Software Lecture 17: WebAlloy: Website Modeling, Analysis and Synthesis with Alloy Instructor: Tevfik Bultan
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Access Control for Web Applications Access control in web applications is a crucial problem Web applications handle a wide variety of critical data Ecommerce sites store customer account information and purchase history Online applications for taxes, permits, visas Google Health, Microsoft HealthVault allow patients to upload their medicate data online and share it with doctors and hospitals
Background image of page 2
Access Control Access control in web applications is difficult Access control mechanisms provided by file systems, databases or web servers are too coarse grain Manual coding of the access control mechanisms in scripting languages is error prone Web application frameworks do not provide many options for customized access control There have been high profile information leaks: Harvard Business School website was leaking admission status from a URL before the official notification Website for payroll processing let 25K customers to access each others’ W2 forms Both of these leaks were due to improper enforcement of the access control policy
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Observation In a typical web application, any operation has to be specified in multiple contexts: The application logic implementing the action The security layer enforcing the access control policy The user interface that initiates the action The idea in WebAlloy is to specify the operations and related access control rules once as part of the data model and then automatically generate the implementation
Background image of page 4
Website Modeling with Weballoy Recall that in Alloy signatures denote as set of objects (atoms) For example, a data model for an online grades management can be specified with the following signatures: abstract sig User { } sig Teacher, Student extends User { } sig Course { } In addition to user defined signatures, Weballoy supports the following signatures: Int, Bool, String, Date, DateTime, Email, and Password
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Fields Relationships among objects are specified as fields of signatures abstract sig User { name: String, } sig Teacher extends User { teaches: set Course } sig Student extends User { assists, attends: set Course } sig Course { name: String, teachers: set Teacher, assistants, students: set Student, grades: students -> lone Int }
Background image of page 6
Alloy Metamodel Every Alloy model corresponds to an instance of the Alloy metamodel each signature s in the original model corresponds to a meta atom denoted as s$ each field f in the signature s corresponds to a meta atom denoted s$f Given a meta atom m for a signature m.fields denotes the set of meta atoms that correspond to the fields of that signature m.value denotes the elements in that signature Given a meta atom m for a field m.value denotes the tuples in that field
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Alloy metamodel Behaviors of a model can be specified reflectively using the
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 12/27/2011 for the course CMPSC 290h taught by Professor Chong during the Fall '09 term at UCSB.

Page1 / 36

l17 - CS 290C: Formal Models for Web Software Lecture 17:...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online