[WEB SECURITY] Authorization for Web Services

Infosec infosecm at gmail.com
Sun Jul 22 11:39:51 EDT 2012


Hi Matthieu and Prasad,

I'm not prefer buying new product or a license.
We already have developers capable to implement what we need.

I'm using LDAP for authentication, but this is not enough.
There are may users and functions should be have limited access.

What I need implementing access control after authenticating my clients to be sure no one able to access unauthorized data.

SAML looks like same thing what I'm looking for.
Is there similar options?


Than you all.


Sent from my iPad

On Jul 22, 2012, at 2:41 PM, Prasad Shenoy <prasad.shenoy at gmail.com> wrote:

> I agree and it is kinda silly how I just jumped to a product to solve a classic problem but let me explain. If your requirement support something easy and home grown and if you have the expertise (Security insight across all phases of SDLC for that solution), by all means you must explore what can be done w/o buying a new product.
> 
> But OTOH, if you already own a product that is capable of doing what you need, has been tested thoroughly (vetted by the vendor and other clients such as yours), has all the bells and whistles that you will have to spend money creating, then that should be your first choice.
> 
> The products mentioned in this thread also support SAML 2.0 and other WAF features and might help you hit the ground running with a few tweaks.
> 
> It's always a dilemma but take care of your business first. If business needs something tomorrow, don't get stuck on writing a homegrown solution to such common problems.
> 
> I am not affiliated to either of the products in any capacity whatsoever :)
> 
> Thank you,
> Prasad N. Shenoy
> 
> On Jul 21, 2012, at 4:40 PM, Matthieu Estrade <mestrade at moresecurity.org> wrote:
> 
>> Lol,
>> 
>> Funny that everybody answer on this kind of topic with "product based" solutions.
>> 
>> Authentication and authz on webservices can be done with classic HTTP mechanism, like header based auth (basic, ntlm etc.)
>> In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on apache).
>> 
>> But authentication and authz are usually done with a service provider contacting an identity provider.
>> You  should look about SAML and SSO mechanism too.
>> 
>> So before looking commercial product, look what you need.
>> 
>> Matthieu
>> 
>> Le 21/07/2012 19:06, Infosec a écrit :
>>> Hi all,
>>> 
>>> What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0?
>>> 
>>> 
>>> Prasad,
>>> I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP.
>>> 
>>> 
>>> Thank you all.
>>> 
>>> Sent from my iPad
>>> 
>>> On Jul 21, 2012, at 6:52 PM, Prasad Shenoy <prasad.shenoy at gmail.com> wrote:
>>> 
>>>> Datapower or F5 BigIP ASM should serve the purpose.
>>>> 
>>>> Thank you,
>>>> Prasad N. Shenoy
>>>> 
>>>> On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd at LabCorp.com> wrote:
>>>> 
>>>>> Have you looked at DataPower or CA SOA agent for SiteMinder?
>>>>> 
>>>>> Sent from my iPhone
>>>>> 
>>>>> On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm at gmail.com> wrote:
>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> I'm looking for solutions to authorize my client and control the access to my web service resource.
>>>>>> What is the best way to implement the access control in web services .
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> The Web Security Mailing List
>>>>>> 
>>>>>> WebSecurity RSS Feed
>>>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>>> 
>>>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>>> 
>>>>>> WASC on Twitter
>>>>>> http://twitter.com/wascupdates
>>>>>> 
>>>>>> websecurity at lists.webappsec.org
>>>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>>>> -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer at labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> The Web Security Mailing List
>>>>> 
>>>>> WebSecurity RSS Feed
>>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>> 
>>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>> 
>>>>> WASC on Twitter
>>>>> http://twitter.com/wascupdates
>>>>> 
>>>>> websecurity at lists.webappsec.org
>>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>> _______________________________________________
>>> The Web Security Mailing List
>>> 
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>> 
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>> 
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>> 
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20120722/88a33dc6/attachment-0003.html>


More information about the websecurity mailing list