[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml-users] Policy with subject specific resources
On tis, 2012-02-28 at 12:49 +0000, Richard.Wilkinson@tessella.com wrote: > I have been asked to investigate how we should implement a XACML > policy to authorise a user to access a personal section of a web > application, and would be grateful for comments. I am aware of the > method described in > http://lists.oasis-open.org/archives/xacml/200404/msg00076.html, which > addresses the type of problem I am concerned with. It is preferred to > not use the subject-id as part of the URL, so that the URLs cannot be > guessed. .... Does that mean that if you guess the right URL you can circumvent access control? That doesn't seem very secure to me. > Is there a better method (where "better" includes requiring less/no > custom modification to the PDP or PEP, scaling well with number of > users and being manageable)? > Don't you have an authenticated session or something similar with the web app? You could save a reference to the subject-id in a cookie and retrieve it from a Map at the server side using the session context. Something like this: client idref=3454469 server idrefMap={{3454469,Alice},{5644648, Bob}, ....} The communication would be something like this: 0. client ---- authenticate ----> server 1. server stores identity in idrefMap 2. server ---- cookie with idref ----> client 3. client ---- read personal page ----> server 4. (inside server) PEP --- access request ---> PDP 5. (inside server) PDP --- response ---> PEP 6. server --- access/denied ---> client so in step 2. the PEP would build the XACML request including the subject-id. The general idea would be to generate the resource information from the URL, the subject info from the session and the action e.g. from the http method (put/get/update/delete). Hope it helps, Ludwig -- Ludwig Seitz, PhD Swedish Institute of Computer Science Ideon Science Park Building Beta 2 3v Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se
Attachment:
signature.asc
Description: This is a digitally signed message part
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]