Re: [WEB SECURITY] Authorization for Web Services
I'm using LDAP for authentication, but this is not
enough. There are may users and functions should be
have limited access.
What I need implementing access control after
authenticating my clients to be sure no one able
to access unauthorized data.
If you have already developed your own code and LDAP authentication
interface, then it should be relatively straightforward to extend this
into an authorisation interface too.
I don't know your code or approach, so I'm going to assume it is object
oriented and then will just punt ideas out randomly ;) The way I would
approach would be to:
- If your code doesn't already support the concept of abstract user
groups, then implement it (associate with an LDAP group, allowing
centralised management). - Create a grid of methods that require authorisation, then associate
these with the user groups. - Create a function that checks for membership of the group, then call
this prior to allowing any sensitive methods to run.
A couple of observations for the LDAP auth:
- If you're not already doing your LDAP lookups over SSL, then add this
in (otherwise the first time that someone like me looks at it we'll just
start whining. ;) - When you do your LDAP auth check, use a named user with minimal
privileges and disable anonymous binds on the LDAP server. - Then you test the LDAP auth, first check for the existence of the
user, then attempt a bind as the user. That way you know whether the
user actually exists or the password is wrong (then you can log the
correct condition, though should give the user a generic "something was
wrong with your credentials" message).
Oh, then take the money you would have spent on an F5 and buy Jager
bombs for everyone and don't come in tomorrow. You could invite me too.
;)
Martin...
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
Registered in England No. 3338312. Registered office: Portland House,
Park Street, Bagshot, Surrey GU19 5PG.
Hello!
In addition to authentication/authorization, you can check WS-Security
standard to increase security (signatures/encryption).
http://en.wikipedia.org/wiki/WS-Security
Best Regards.
DEAD
On Sun, Jul 22, 2012 at 1:52 PM, Martin O'Neal
martin.oneal@corsaire.com wrote:
I'm using LDAP for authentication, but this is not
enough. There are may users and functions should be
have limited access.
What I need implementing access control after
authenticating my clients to be sure no one able
to access unauthorized data.
If you have already developed your own code and LDAP authentication
interface, then it should be relatively straightforward to extend this
into an authorisation interface too.
I don't know your code or approach, so I'm going to assume it is object
oriented and then will just punt ideas out randomly ;) The way I would
approach would be to:
- If your code doesn't already support the concept of abstract user
groups, then implement it (associate with an LDAP group, allowing
centralised management). - Create a grid of methods that require authorisation, then associate
these with the user groups. - Create a function that checks for membership of the group, then call
this prior to allowing any sensitive methods to run.
A couple of observations for the LDAP auth:
- If you're not already doing your LDAP lookups over SSL, then add this
in (otherwise the first time that someone like me looks at it we'll just
start whining. ;) - When you do your LDAP auth check, use a named user with minimal
privileges and disable anonymous binds on the LDAP server. - Then you test the LDAP auth, first check for the existence of the
user, then attempt a bind as the user. That way you know whether the
user actually exists or the password is wrong (then you can log the
correct condition, though should give the user a generic "something was
wrong with your credentials" message).
Oh, then take the money you would have spent on an F5 and buy Jager
bombs for everyone and don't come in tomorrow. You could invite me too.
;)
Martin...
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, head office: Unit 2 Grosvenor Court, Hipley Street,
Old Woking, Surrey GU22 9LL. Telephone: +44 (0)1483-746700.
Registered in England No. 3338312. Registered office: Portland House,
Park Street, Bagshot, Surrey GU19 5PG.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org