WebApp Sec mailing list archives

Re: web application access control research

From: Ray Stirbei <me () highentropy org>
Date: Tue, 22 Apr 2003 19:38:20 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy,

The access control section of OWASP guide is in the process of an overhaul and 
you should check the CVS repository next week becuase it will address some of 
these issues. 

In terms of research, you'll find a great deal of papers here :
http://citeseer.nj.nec.com/Security/AccessControl/

If you are building a web application, the general question to ask are:
Should I use single sign on? What authentication model / authorization model? 
Should I build (ie. Java JAAS)? Should I purchase? (ie Tivoli, Access360, 
BMC, Courion, CA, Entact,  etc) Pick what makes sense for your application 
and business requirements.

If you are testing a web application you can use scripts to test HTTP 
Basic/Digest/Forms authentication or packaged tools like Brutus, Entry, 
BeatLM, Hydra, etc.

I think the general trend in access and identity management is toward better 
integrated systems internally and towards federation externally. (Liberty 
Alliance / MS Passport). XML standards like SAML, XACML, XKMS DSML are 
critical here. Web based access management systems (like SiteMinder) are 
being increasingly used for centralized policy management. I'd be surprised 
if you can't Gartner (or other analysts) report on  this topic. I found a 
synposis by Giga here while looking for something else: 
http://www.csoonline.com/analyst/report576.html

Hope that helps

ray

On Tuesday 22 April 2003 06:46 pm, absmith () cerias purdue edu wrote:

All,

Besides the OWASP Guide, can anyone point me to papers/articles that deal
with the issues of access control of web applications?

I am looking to do a survey paper on this topic.  Basically, I am looking
for references that talk about access control in regards to web
applications: current trends, research, tools, software, ideas, etc.

Any help would be great.  Thanks in advance!

- Andy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+pdJwzejBliQ3SdsRAvBJAJsHRvf+9FC3WUzESOPIdFjtRitVIACcDkOr
QcyGAMB3Ad8cqrTWGNsfx+M=
=+kTV
-----END PGP SIGNATURE-----

Current thread:

web application access control research absmith (Apr 22)
- Re: web application access control research Ray Stirbei (Apr 22)
- Re: web application access control research George W. Capehart (Apr 22)
- RE: web application access control research Gunter (Apr 23)
- Re: web application access control research Gary Gwin (Apr 23)
- Re: web application access control research Jeff Williams @ Aspect (Apr 23)
  - Re: web application access control research Ray Stirbei (Apr 23)