WebApp Sec mailing list archives
Re: web application access control research
From: "Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>
Date: Wed, 23 Apr 2003 20:30:30 -0400
Andy, I suspect that you will find a large number of papers that deal with identification and authentication, and very few that deal with access control (aka authorization) for any kind of sophisticated security policy on web apps. The reason is that in many web environments, the authentication mechanisms are centralized and standard, and the access control mechanisms are haphazard custom code. There is a tremendous body of literature on access control schemes for operating systems and databases. The only difference here is that the set of attributes on which access control decisions are made is a little different in the web application environment. Here's what I look for in a web app access control scheme... - tamperproof - always invoked - verifiable (minimize complexity) - flexible support for a broad range of subjects (thing that accesses) and objects (what gets accessed) - ability to group subject and object attributes for easier management - ability to express access control policy in the simplest form possible The vast majority of access control components out there allow decisions to be made based on the URL. Period. Not form data, not query string, not time of day, age of user, account number, last page visited, special deal in effect, session data, or anything else. Most developers end up coding a bunch of special rules into their code and it quickly spirals out of control. Access control mechanisms should be centralized. By the way, the first three requirements are properties of a 'reference monitor' -- anyone implementing an access control scheme who hasn't heard those words, should find out what they mean and why they're important. I've always found that thinking through the access control matrix (of subjects and objects) raises many issues and special cases that are often overlooked without a systematic approach. --Jeff Jeff Williams jeff.williams () aspectsecurity com Aspect Security, Inc. http://www.aspectsecurity.com ----- Original Message ----- From: <absmith () cerias purdue edu> To: <webappsec () securityfocus com> Sent: Tuesday, April 22, 2003 6:46 PM Subject: web application access control research
All, Besides the OWASP Guide, can anyone point me to papers/articles that deal with the issues of access control of web applications? I am looking to do a survey paper on this topic. Basically, I am looking for references that talk about access control in regards to web applications: current trends, research, tools, software, ideas, etc. Any help would be great. Thanks in advance! - Andy
Current thread:
- web application access control research absmith (Apr 22)
- Re: web application access control research Ray Stirbei (Apr 22)
- Re: web application access control research George W. Capehart (Apr 22)
- RE: web application access control research Gunter (Apr 23)
- Re: web application access control research Gary Gwin (Apr 23)
- Re: web application access control research Jeff Williams @ Aspect (Apr 23)
- Re: web application access control research Ray Stirbei (Apr 23)