This thesis analyzes the access control architectures of three middleware technologies: Common
Object Request Broker Architecture (CORBA), Enterprise Java Beans (EJB), and Component
Object Model (COM+). For all technologies under study, we formalize the protection state of their
corresponding authorization architectures in a more precise and less ambiguous language than their
respective specifcations. We also suggest algorithms that defne the semantics of authorization
decisions in CORBA, EJB, and COM+. Using the formalized protection state confgurations, we
analyze the level of support for the American National Standard Institute's (ANSI) specifcation
of Role-Based Access Control (RBAC) components and functional specifcation in the studied
middleware technologies. This thesis establishes a framework for assessing implementations of
ANSI RBAC in the analyzed middleware technologies.
Our fndings indicate that all of three middleware technologies under study fall short of supporting
even Core ANSI RBAC. Custom extensions are necessary in order for implementations
compliant with each middleware to support ANSI RBAC required or optional components. Some
of the limitations preventing support of ANSI RBAC are due to the middleware's architectural
design decisions; however, fundamental limitations exist due to the impracticality of some aspects
of the ANSI RBAC standard itself.
↧