Analysis of ANSI RBAC Support in Commercial Middleware

This thesis analyzes the access control architectures of three middleware technologies: Common Object Request Broker Architecture (CORBA), Enterprise Java Beans (EJB), and Component Object Model (COM+). For all technologies under study, we formalize the protection state of their corresponding authorization architectures in a more precise and less ambiguous language than their respective specifcations. We also suggest algorithms that defne the semantics of authorization decisions in CORBA, EJB, and COM+. Using the formalized protection state confgurations, we analyze the level of support for the American National Standard Institute's (ANSI) specifcation of Role-Based Access Control (RBAC) components and functional specifcation in the studied middleware technologies. This thesis establishes a framework for assessing implementations of ANSI RBAC in the analyzed middleware technologies. Our fndings indicate that all of three middleware technologies under study fall short of supporting even Core ANSI RBAC. Custom extensions are necessary in order for implementations compliant with each middleware to support ANSI RBAC required or optional components. Some of the limitations preventing support of ANSI RBAC are due to the middleware's architectural design decisions; however, fundamental limitations exist due to the impracticality of some aspects of the ANSI RBAC standard itself.