Re: web application access control research

Andy,

I suspect that you will find a large number of papers that deal with identification and authentication, and very few that deal with access control (aka authorization) for any kind of sophisticated security policy on web apps. The reason is that in many web environments, the authentication mechanisms are centralized and standard, and the access control mechanisms are haphazard custom code.

There is a tremendous body of literature on access control schemes for operating systems and databases. The only difference here is that the set of attributes on which access control decisions are made is a little different in the web application environment.

Here's what I look for in a web app access control scheme...

• tamperproof
• always invoked
• verifiable (minimize complexity)
• flexible support for a broad range of subjects (thing that accesses) and objects (what gets accessed)
• ability to group subject and object attributes for easier management
• ability to express access control policy in the simplest form possible

The vast majority of access control components out there allow decisions to be made based on the URL. Period. Not form data, not query string, not time of day, age of user, account number, last page visited, special deal in effect, session data, or anything else. Most developers end up coding a bunch of special rules into their code and it quickly spirals out of control. Access control mechanisms should be centralized.

By the way, the first three requirements are properties of a 'reference monitor' -- anyone implementing an access control scheme who hasn't heard those words, should find out what they mean and why they're important. I've always found that thinking through the access control matrix (of subjects and objects) raises many issues and special cases that are often overlooked without a systematic approach.

--Jeff

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Jeff Williams
jeff.williams@aspectsecurity.com
Aspect Security, Inc.
http://www.aspectsecurity.com

• Original Message ----- From: <absmith@cerias.purdue.edu> To: <webappsec@securityfocus.com> Sent: Tuesday, April 22, 2003 6:46 PM Subject: web application access control research

>
>
> All,
>
> Besides the OWASP Guide, can anyone point me to papers/articles that deal
Received on Wed Apr 23 20:46:04 2003