Hi, I'm looking for solutions to be sure that't I'm implementing the access control as should be for my web services. What you advice my to use to control the authorization issue. Sent from my iPhone

Hi, I'm looking for solutions to authorize my client and control the access to my web service resource. What is the best way to implement the access control in web services .

Have you looked at DataPower or CA SOA agent for SiteMinder? Sent from my iPhone On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm@gmail.com> wrote: > Hi, > > I'm looking for solutions to authorize my client and control the access to my web service resource. > What is the best way to implement the access control in web services . > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.

Datapower or F5 BigIP ASM should serve the purpose. Thank you, Prasad N. Shenoy On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd@LabCorp.com> wrote: > Have you looked at DataPower or CA SOA agent for SiteMinder? > > Sent from my iPhone > > On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm@gmail.com> wrote: > >> Hi, >> >> I'm looking for solutions to authorize my client and control the access to my web service resource. >> What is the best way to implement the access control in web services . >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722. > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi all, What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0? Prasad, I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP. Thank you all. Sent from my iPad On Jul 21, 2012, at 6:52 PM, Prasad Shenoy <prasad.shenoy@gmail.com> wrote: > Datapower or F5 BigIP ASM should serve the purpose. > > Thank you, > Prasad N. Shenoy > > On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd@LabCorp.com> wrote: > >> Have you looked at DataPower or CA SOA agent for SiteMinder? >> >> Sent from my iPhone >> >> On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm@gmail.com> wrote: >> >>> Hi, >>> >>> I'm looking for solutions to authorize my client and control the access to my web service resource. >>> What is the best way to implement the access control in web services . >>> >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722. >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

I actually meant ASM but yeah, APM might be a better fit. If you already have F5 that might be a good starting point. Thank you, Prasad N. Shenoy On Jul 21, 2012, at 1:06 PM, Infosec <infosecm@gmail.com> wrote: > Hi all, > > What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0? > > > Prasad, > I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP. > > > Thank you all. > > Sent from my iPad > > On Jul 21, 2012, at 6:52 PM, Prasad Shenoy <prasad.shenoy@gmail.com> wrote: > >> Datapower or F5 BigIP ASM should serve the purpose. >> >> Thank you, >> Prasad N. Shenoy >> >> On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd@LabCorp.com> wrote: >> >>> Have you looked at DataPower or CA SOA agent for SiteMinder? >>> >>> Sent from my iPhone >>> >>> On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I'm looking for solutions to authorize my client and control the access to my web service resource. >>>> What is the best way to implement the access control in web services . >>>> >>>> >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722. >>> >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Lol, Funny that everybody answer on this kind of topic with "product based" solutions. Authentication and authz on webservices can be done with classic HTTP mechanism, like header based auth (basic, ntlm etc.) In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on apache). But authentication and authz are usually done with a service provider contacting an identity provider. You should look about SAML and SSO mechanism too. So before looking commercial product, look what you need. Matthieu Le 21/07/2012 19:06, Infosec a écrit : > Hi all, > > What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0? > > > Prasad, > I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP. > > > Thank you all. > > Sent from my iPad > > On Jul 21, 2012, at 6:52 PM, Prasad Shenoy <prasad.shenoy@gmail.com> wrote: > >> Datapower or F5 BigIP ASM should serve the purpose. >> >> Thank you, >> Prasad N. Shenoy >> >> On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd@LabCorp.com> wrote: >> >>> Have you looked at DataPower or CA SOA agent for SiteMinder? >>> >>> Sent from my iPhone >>> >>> On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I'm looking for solutions to authorize my client and control the access to my web service resource. >>>> What is the best way to implement the access control in web services . >>>> >>>> >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722. >>> >>> >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

I agree and it is kinda silly how I just jumped to a product to solve a classic problem but let me explain. If your requirement support something easy and home grown and if you have the expertise (Security insight across all phases of SDLC for that solution), by all means you must explore what can be done w/o buying a new product. But OTOH, if you already own a product that is capable of doing what you need, has been tested thoroughly (vetted by the vendor and other clients such as yours), has all the bells and whistles that you will have to spend money creating, then that should be your first choice. The products mentioned in this thread also support SAML 2.0 and other WAF features and might help you hit the ground running with a few tweaks. It's always a dilemma but take care of your business first. If business needs something tomorrow, don't get stuck on writing a homegrown solution to such common problems. I am not affiliated to either of the products in any capacity whatsoever :) Thank you, Prasad N. Shenoy On Jul 21, 2012, at 4:40 PM, Matthieu Estrade <mestrade@moresecurity.org> wrote: > Lol, > > Funny that everybody answer on this kind of topic with "product based" solutions. > > Authentication and authz on webservices can be done with classic HTTP mechanism, like header based auth (basic, ntlm etc.) > In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on apache). > > But authentication and authz are usually done with a service provider contacting an identity provider. > You should look about SAML and SSO mechanism too. > > So before looking commercial product, look what you need. > > Matthieu > > Le 21/07/2012 19:06, Infosec a écrit : >> Hi all, >> >> What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0? >> >> >> Prasad, >> I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP. >> >> >> Thank you all. >> >> Sent from my iPad >> >> On Jul 21, 2012, at 6:52 PM, Prasad Shenoy <prasad.shenoy@gmail.com> wrote: >> >>> Datapower or F5 BigIP ASM should serve the purpose. >>> >>> Thank you, >>> Prasad N. Shenoy >>> >>> On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd@LabCorp.com> wrote: >>> >>>> Have you looked at DataPower or CA SOA agent for SiteMinder? >>>> >>>> Sent from my iPhone >>>> >>>> On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm@gmail.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm looking for solutions to authorize my client and control the access to my web service resource. >>>>> What is the best way to implement the access control in web services . >>>>> >>>>> >>>>> _______________________________________________ >>>>> The Web Security Mailing List >>>>> >>>>> WebSecurity RSS Feed >>>>> http://www.webappsec.org/rss/websecurity.rss >>>>> >>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>>> >>>>> WASC on Twitter >>>>> http://twitter.com/wascupdates >>>>> >>>>> websecurity@lists.webappsec.org >>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>>> -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722. >>>> >>>> >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi Matthieu and Prasad, I'm not prefer buying new product or a license. We already have developers capable to implement what we need. I'm using LDAP for authentication, but this is not enough. There are may users and functions should be have limited access. What I need implementing access control after authenticating my clients to be sure no one able to access unauthorized data. SAML looks like same thing what I'm looking for. Is there similar options? Than you all. Sent from my iPad On Jul 22, 2012, at 2:41 PM, Prasad Shenoy <prasad.shenoy@gmail.com> wrote: > I agree and it is kinda silly how I just jumped to a product to solve a classic problem but let me explain. If your requirement support something easy and home grown and if you have the expertise (Security insight across all phases of SDLC for that solution), by all means you must explore what can be done w/o buying a new product. > > But OTOH, if you already own a product that is capable of doing what you need, has been tested thoroughly (vetted by the vendor and other clients such as yours), has all the bells and whistles that you will have to spend money creating, then that should be your first choice. > > The products mentioned in this thread also support SAML 2.0 and other WAF features and might help you hit the ground running with a few tweaks. > > It's always a dilemma but take care of your business first. If business needs something tomorrow, don't get stuck on writing a homegrown solution to such common problems. > > I am not affiliated to either of the products in any capacity whatsoever :) > > Thank you, > Prasad N. Shenoy > > On Jul 21, 2012, at 4:40 PM, Matthieu Estrade <mestrade@moresecurity.org> wrote: > >> Lol, >> >> Funny that everybody answer on this kind of topic with "product based" solutions. >> >> Authentication and authz on webservices can be done with classic HTTP mechanism, like header based auth (basic, ntlm etc.) >> In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on apache). >> >> But authentication and authz are usually done with a service provider contacting an identity provider. >> You should look about SAML and SSO mechanism too. >> >> So before looking commercial product, look what you need. >> >> Matthieu >> >> Le 21/07/2012 19:06, Infosec a écrit : >>> Hi all, >>> >>> What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0? >>> >>> >>> Prasad, >>> I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP. >>> >>> >>> Thank you all. >>> >>> Sent from my iPad >>> >>> On Jul 21, 2012, at 6:52 PM, Prasad Shenoy <prasad.shenoy@gmail.com> wrote: >>> >>>> Datapower or F5 BigIP ASM should serve the purpose. >>>> >>>> Thank you, >>>> Prasad N. Shenoy >>>> >>>> On Jul 21, 2012, at 9:14 AM, "Dulong, David" <Dulongd@LabCorp.com> wrote: >>>> >>>>> Have you looked at DataPower or CA SOA agent for SiteMinder? >>>>> >>>>> Sent from my iPhone >>>>> >>>>> On Jul 21, 2012, at 7:51 AM, "Info Sec" <infosecm@gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm looking for solutions to authorize my client and control the access to my web service resource. >>>>>> What is the best way to implement the access control in web services . >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> The Web Security Mailing List >>>>>> >>>>>> WebSecurity RSS Feed >>>>>> http://www.webappsec.org/rss/websecurity.rss >>>>>> >>>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>>>> >>>>>> WASC on Twitter >>>>>> http://twitter.com/wascupdates >>>>>> >>>>>> websecurity@lists.webappsec.org >>>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>>>> -This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722. >>>>> >>>>> >>>>> _______________________________________________ >>>>> The Web Security Mailing List >>>>> >>>>> WebSecurity RSS Feed >>>>> http://www.webappsec.org/rss/websecurity.rss >>>>> >>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>>> >>>>> WASC on Twitter >>>>> http://twitter.com/wascupdates >>>>> >>>>> websecurity@lists.webappsec.org >>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> _______________________________________________ >>> The Web Security Mailing List >>> >>> WebSecurity RSS Feed >>> http://www.webappsec.org/rss/websecurity.rss >>> >>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>> >>> WASC on Twitter >>> http://twitter.com/wascupdates >>> >>> websecurity@lists.webappsec.org >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>> >> >> >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org