PEP4Django A Policy Enforcement Point for Python Web Applications

  • Carlos Eduardo da Silva UFRN
  • Welkson de Medeiros IFRN
  • Silvio Sampaio UFRN


Traditionally, access control mechanisms have been hard-coded into application components. Such approach is error-prone, mixing business logic with access control concerns, and affecting the flexibility of security policies, as is the case with IFRN SUAP Django-based system. The externalization of access control rules allows their decoupling from business logic, through the use of authorization servers where access control policies are stored and queried for computing access decisions. In this context, this paper presents an approach that allows a Django Web application to delegate access control decisions to an external authorization server. The approach has been integrated into an enterprise level system, which has been used for experimentation. The results obtained indicate a negligible overhead, while allowing the modification of access control policies without interrupting the system.


ANSI (2004). Role Based Access Control. Technical Report ANSI INCITS 359-2004, ANSI. ANSI/INCITS 359-2004.

Armando, A., Carbone, R., Chekole, E. G., and Ranise, S. (2014). Attribute based access In Proceedings of the 19th ACM Symposium on control for apis in spring security. Access Control Models and Technologies, SACMAT '14, pages 85–88. ACM.

Brossard, D., Gebel, G., and Berg, M. (2017). A Systematic Approach to Implementing ABAC. In Proceedings of the 2Nd ACM Workshop on Attribute-Based Access Control, ABAC '17, pages 53–59, New York, NY, USA. ACM.

Domenech, M. C., Boukerche, A., and Wangham, M. S. (2016). An authentication and authorization infrastructure for the web of things. In Proc. of the 12th ACM Symposium on QoS and Security for Wireless and Mobile Networks, Q2SWinet '16, pages 39–46.

Elliott, A. and Knight, S. (2010). Role Explosion: Acknowledging the Problem. In Software Engineering Research and Practice, pages 349–355.

Hu, V. C., Ferraiolo, D., Kuhn, R., Friedman, A. R., Lang, A. J., Cogdell, M. M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K., et al. (2014). Guide to Attribute Based Access Control (ABAC) Denition and Considerations. NIST special publication, 800(162).

Parducci, B., Lockhart, H., and Rissanen, E. (2013). Extensible access control markup language (XACML) version 3.0. OASIS Standard, pages 1–154.

Sandhu, R. and Samarati, P. (1994). Access Control: Principles and Practice, IEEE Communications 32 (9): 40–48, 1994. IEEE Communications Magazine, 32(9):40–48.

Servos, D. and Osborn, S. L. (2017). Current Research and Open Problems in Attribute-Based Access Control. ACM Computing Surveys, 49(4):65:1–65:45.

Sette, I. S., Chadwick, D. W., and Ferraz, C. A. G. (2017). Authorization policy federation in heterogeneous multicloud environments. IEEE Cloud Computing, 4(4):38–47.

Silva, E. F., Muchaluat-Saade, D. C., and Fernandes, N. C. (2018). ACROSS: A generic framework for attribute-based access control with distributed policies for virtual organizations. Future Generation Computer Systems, 78:1–17.
DA SILVA, Carlos Eduardo; DE MEDEIROS, Welkson; SAMPAIO, Silvio. PEP4Django A Policy Enforcement Point for Python Web Applications. In: WORKSHOP DE GESTÃO DE IDENTIDADES DIGITAIS, 9. , 2019, São Paulo. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2019 . p. 5-16. DOI: