[WEB SECURITY] Authorization for Web Services

The Dead th3d34d at gmail.com
Mon Jul 23 21:09:15 EDT 2012


In addition to authentication/authorization, you can check WS-Security
standard to increase security (signatures/encryption).


Best Regards.


On Sun, Jul 22, 2012 at 1:52 PM, Martin O'Neal
<martin.oneal at corsaire.com> wrote:
>> I'm using LDAP for authentication, but this is not
>> enough. There are may users and functions should be
>> have limited access.
>> What I need implementing access control after
>> authenticating my clients to be sure no one able
>> to access unauthorized data.
> If you have already developed your own code and LDAP authentication
> interface, then it should be relatively straightforward to extend this
> into an authorisation interface too.
> I don't know your code or approach, so I'm going to assume it is object
> oriented and then will just punt ideas out randomly ;) The way I would
> approach would be to:
> - If your code doesn't already support the concept of abstract user
> groups, then implement it (associate with an LDAP group, allowing
> centralised management).
> - Create a grid of methods that require authorisation, then associate
> these with the user groups.
> - Create a function that checks for membership of the group, then call
> this prior to allowing any sensitive methods to run.
> A couple of observations for the LDAP auth:
> - If you're not already doing your LDAP lookups over SSL, then add this
> in (otherwise the first time that someone like me looks at it we'll just
> start whining. ;)
> - When you do your LDAP auth check, use a named user with minimal
> privileges and disable anonymous binds on the LDAP server.
> - Then you test the LDAP auth, first check for the existence of the
> user, then attempt a bind as the user. That way you know whether the
> user actually exists or the password is wrong (then you can log the
> correct condition, though should give the user a generic "something was
> wrong with your credentials" message).
> Oh, then take the money you would have spent on an F5 and buy Jager
> bombs for everyone and don't come in tomorrow. You could invite me too.
> ;)
> Martin...
> ----------------------------------------------------------------------
> CONFIDENTIALITY:  This e-mail and any files transmitted with it are
> confidential and intended solely for the use of the recipient(s) only.
> Any review, retransmission, dissemination or other use of, or taking
> any action in reliance upon this information by persons or entities
> other than the intended recipient(s) is prohibited.  If you have
> received this e-mail in error please notify the sender immediately
> and destroy the material whether stored on a computer or otherwise.
> ----------------------------------------------------------------------
> DISCLAIMER:  Any views or opinions presented within this e-mail are
> solely those of the author and do not necessarily represent those
> of Corsaire Limited, unless otherwise specifically stated.
> ----------------------------------------------------------------------
> Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
> Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
> Registered in England No. 3338312. Registered office: Portland House,
> Park Street, Bagshot, Surrey GU19 5PG.
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list