Development of a Flexible PERMIS Authorisation Module for Shibboleth and Apache Server

  • Wensheng Xu
  • David W. Chadwick
  • Sassa Otenko
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3545)


This paper describes the development of a flexible Role Based Access Control (RBAC) authorisation module – the Shibboleth and Apache Authorisation Module (SAAM) which is based on the PERMIS privilege management infrastructure. It explains how the module can work with the Apache web server, with or without Shibboleth. We argue that this can effectively improve the level of trust and flexibility of access control for the Shibboleth architecture and the Apache web server, as well as provide a finer grained level of control over web resources.


Role Base Access Control Policy Decision Point Attribute Certificate Security Assertion Markup Language Scope Domain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cantor, S.: Shibboleth Architecture, Protocols and Profiles, Working Draft 02 (September 22, 2004), see
  2. 2.
    Chadwick, D.W., Otenko, A., Ball, E.: Role-based access control with X.509 attribute certificates. In: IEEE Internet Computing, pp. 62–69 (March-April 2003)Google Scholar
  3. 3.
    ISO 9594-8/ITU-T Rec. X.509, The Directory: Public-key and attribute certificate frameworks (2001)Google Scholar
  4. 4.
    Chadwick, D.W., Otenko, A., Welch, V.: Using SAML to link the GLOBUS toolkit to the PERMIS authorisation infrastructure. In: Proceedings of Eighth Annual IFIP TC-6 TC-11 Conference on Communications and Multimedia Security, Windermere, UK, September 15-18, pp. 251–261 (2004)Google Scholar
  5. 5.
    OASIS. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1 (September 2, 2003)Google Scholar
  6. 6.
    Chadwick, D.W., Otenko, A.: RBAC Policies in XML for X.509 Based Privilege Management. In: Ghonaimy, M.A., El-Hadidi, M.T., Aslan, H.K. (eds.) Security in the Information Society: Visions and Perspectives: IFIP TC11 17th Int. Conf. On Information Security (SEC 2002), Cairo, Egypt, May 7-9, pp. 39–53. Kluwer Academic Publishers, Dordrecht (2002)Google Scholar
  7. 7.
    The Apache Software Foundation,
  8. 8.
  9. 9.
    Chadwick, D.W., Otenko, A., Xu, W.: Adding Distributed Trust Management to Shibboleth. In: Proceedings of 4th Annual PKI R&D Workshop: Multiple Paths to Trust, NIST, Gaithersburg, MD, April 19-21 (2005)Google Scholar
  10. 10.
    Sandhu, R., Ferraiolo, D., Kuhn, R.: The NIST Model for Role Based Access Control: Towards a Unified Standard. In: Proceedings of 5th ACM Workshop on Role-Based Access Control, Berlin, Germany, pp. 47–63 (July 2000)Google Scholar
  11. 11.
    Wahl, M., Howes, T., Kille, S.: Lightweight Directory Access Protocol (v3), RFC 2251 (December 1997)Google Scholar
  12. 12.
    Ferraiolo, D., Barkley, J., Kuhn, R.: A role-based access control model and reference implementation within a corporate internet. ACM Transactions on Information and System Security 2(1), 34–64 (1999)CrossRefGoogle Scholar
  13. 13.
    Joon, S.P., Sandhu, R., Ahn, G.: Role-based access control on the web. ACM Transactions on Information and System Security 4(1), 37–71 (2001)CrossRefGoogle Scholar
  14. 14.
    Park, J.S., Sandhu, R.: RBAC on the Web by smart certificates. In: Proceedings of 4th ACM workshop on role-based access control RBAC 1999, Fairfax, VA, October 28-29. ACM, New York (1999)Google Scholar
  15. 15.
    ITU-T Rec X.812 (1995) ISO/IEC 10181-3:1996. Security Frameworks for open systems: Access control frameworkGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Wensheng Xu
    • 1
  • David W. Chadwick
    • 1
  • Sassa Otenko
    • 1
  1. 1.Computing LaboratoryUniversity of KentCanterburyEngland

Personalised recommendations