[WEB SECURITY] Authorization for Web Services

Matthieu Estrade mestrade at moresecurity.org
Sat Jul 21 16:40:11 EDT 2012


Lol,

Funny that everybody answer on this kind of topic with "product based" 
solutions.

Authentication and authz on webservices can be done with classic HTTP 
mechanism, like header based auth (basic, ntlm etc.)
In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on 
apache).

But authentication and authz are usually done with a service provider 
contacting an identity provider.
You  should look about SAML and SSO mechanism too.

So before looking commercial product, look what you need.

Matthieu

Le 21/07/2012 19:06, Infosec a écrit :
> Hi all,
>
> What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0?
>
>
> Prasad,
> I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP.
>
>
> Thank you all.
>
> Sent from my iPad
>
> On Jul 21, 2012, at 6:52 PM, Prasad Shenoy <prasad.shenoy at gmail.com> wrote:
>
>> Datapower or F5 BigIP ASM should serve the purpose.
>>
>> Thank you,
>> Prasad N. Shenoy
>>
>> On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd at LabCorp.com> wrote:
>>
>>> Have you looked at DataPower or CA SOA agent for SiteMinder?
>>>
>>> Sent from my iPhone
>>>
>>> On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I'm looking for solutions to authorize my client and control the access to my web service resource.
>>>> What is the best way to implement the access control in web services .
>>>>
>>>>
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>> -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer at labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
>>>
>>>
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>






More information about the websecurity mailing list