WebApp Sec mailing list archives

Re: web application access control research

From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Wed, 23 Apr 2003 20:30:30 -0400

Andy,

I suspect that you will find a large number of papers that deal with
identification and authentication, and very few that deal with access
control (aka authorization) for any kind of sophisticated security policy on
web apps.  The reason is that in many web environments, the authentication
mechanisms are centralized and standard, and the access control mechanisms
are haphazard custom code.

There is a tremendous body of literature on access control schemes for
operating systems and databases. The only difference here is that the set of
attributes on which access control decisions are made is a little different
in the web application environment.

Here's what I look for in a web app access control scheme...
 - tamperproof
 - always invoked
 - verifiable (minimize complexity)
 - flexible support for a broad range of subjects (thing that accesses) and
objects (what gets accessed)
 - ability to group subject and object attributes for easier management
 - ability to express access control policy in the simplest form possible

The vast majority of access control components out there allow decisions to
be made based on the URL. Period.  Not form data, not query string, not time
of day, age of user, account number, last page visited, special deal in
effect, session data, or anything else.  Most developers end up coding a
bunch of special rules into their code and it quickly spirals out of
control.  Access control mechanisms should be centralized.

By the way, the first three requirements are properties of a 'reference
monitor' -- anyone implementing an access control scheme who hasn't heard
those words, should find out what they mean and why they're important.  I've
always found that thinking through the access control matrix (of subjects
and objects) raises many issues and special cases that are often overlooked
without a systematic approach.

--Jeff

Jeff Williams
jeff.williams () aspectsecurity com
Aspect Security, Inc.
http://www.aspectsecurity.com



----- Original Message -----
From: <absmith () cerias purdue edu>
To: <webappsec () securityfocus com>
Sent: Tuesday, April 22, 2003 6:46 PM
Subject: web application access control research



All,

Besides the OWASP Guide, can anyone point me to papers/articles that deal
with the issues of access control of web applications?

I am looking to do a survey paper on this topic.  Basically, I am looking
for references that talk about access control in regards to web
applications: current trends, research, tools, software, ideas, etc.

Any help would be great.  Thanks in advance!

- Andy

Current thread:

web application access control research absmith (Apr 22)
- Re: web application access control research Ray Stirbei (Apr 22)
- Re: web application access control research George W. Capehart (Apr 22)
- RE: web application access control research Gunter (Apr 23)
- Re: web application access control research Gary Gwin (Apr 23)
- Re: web application access control research Jeff Williams @ Aspect (Apr 23)
  - Re: web application access control research Ray Stirbei (Apr 23)