Linked by Thom Holwerda on Thu 14th Dec 2006 21:59 UTC
"Although Web servers can perform user authentication and coarse-grained authorization checking for applications, developers of Web services and SOAs often must write custom code to restrict access to certain features of their system, or customize the behavior or appearance, based on the identity of a user. Embedding authorization checking within an application is inflexible, prone to error, and increases its complexity. What if it were data-driven instead of implemented by program logic?"
Thread beginning with comment 192556
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2006-06-09
Note that RSBAC propose a Apache module to do this per virtualhost (not per web-user):
http://www.rsbac.org/
I use it and it does work.
I fear that if you integrated it deeper, it brings a problem then: you have to trust more userspace code.
This kind of security solution does not trust userspace code at all by default. With the Apache module, it trusts Apache a little bit.
If you add up users support, it means you have to trust the PHP/PERL/Whatever programmer too, over code that you do not control. (if you want to do that automagically)
Note that you can however, simply give the right to Apache's virtualhost to switch role to a predefined set, and call from (PHP or others) the RSBAC command to switch role.
Note also that if this code is compromised, the attack can switch role to any of the allowed role (so its like if there was no per user role anymore inside of the virtualhost)
I hope it was clear enough