Enforcing Usage Constraints on Credentials for Web Applications 


We propose a user-friendly environment for applying proof-carrying 
authorization and usage constraint enforcement to Web applications. We 
argue why existing approaches cannot be applied directly to Web 
applications, and how to circumvent possible performance bottlenecks. 
We identify and categorize usage constraints, set them into the context 
of Web applications, and provide a library of functions and a language 
to express them. We develop a compliance checking algorithm that 
constructs proofs for policies based on a set of RT0 credentials and 
provide a verification scheme to enforce usage constraints and verify 
proofs. We propose implementations for the algorithm and verification 
scheme and use them in a modular browser extension. This browser 
extension intercepts requests to protected resources, constructs 
proofs for the policies protecting them, and resends requests with 
valid proofs attached. In order to substantiate our claim of a user-
friendly environment, we perform a case study in which we adapt an 
existing Ruby on Rails application, BrowserCMS, to our approach. We 
provide an example scenario for which we model principals, credentials, 
and usage constraints. Finally, we present performance evaluations and 
outline the differences between our approach and related work.