“Although Web servers can perform user authentication and coarse-grained authorization checking for applications, developers of Web services and SOAs often must write custom code to restrict access to certain features of their system, or customize the behavior or appearance, based on the identity of a user. Embedding authorization checking within an application is inflexible, prone to error, and increases its complexity. What if it were data-driven instead of implemented by program logic?”
nice addition to grsec:-)
Note that RSBAC propose a Apache module to do this per virtualhost (not per web-user):
http://www.rsbac.org/
I use it and it does work.
I fear that if you integrated it deeper, it brings a problem then: you have to trust more userspace code.
This kind of security solution does not trust userspace code at all by default. With the Apache module, it trusts Apache a little bit.
If you add up users support, it means you have to trust the PHP/PERL/Whatever programmer too, over code that you do not control. (if you want to do that automagically)
Note that you can however, simply give the right to Apache’s virtualhost to switch role to a predefined set, and call from (PHP or others) the RSBAC command to switch role.
Note also that if this code is compromised, the attack can switch role to any of the allowed role (so its like if there was no per user role anymore inside of the virtualhost)
I hope it was clear enough
Our company’s .NET-based application platform has been using data-driven security for more than 3 years now. The rules are stored in a database, and managed by a tool we created.
These security options can be customized per role:
– web services (enable or disable access to methods)
– database tables (permission to select, update, insert and/or delete)
– database table columns (permission to read and/or write)
– UI: visibility of controls on the Windows Forms client
When we change security options, our tool will automatically generate XML-documents and SQL-statements for each role.