Hi,
I'm looking for solutions to be sure that't I'm implementing the access control as should be for my web services.
What you advice my to use to control the authorization issue.
Sent from my iPhone
Hi,
I'm looking for solutions to authorize my client and control the access to
my web service resource.
What is the best way to implement the access control in web services .
Have you looked at DataPower or CA SOA agent for SiteMinder?
Sent from my iPhone
On Jul 21, 2012, at 7:51 AM, "Info Sec" infosecm@gmail.com wrote:
Hi,
I'm looking for solutions to authorize my client and control the access to my web service resource.
What is the best way to implement the access control in web services .
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
Datapower or F5 BigIP ASM should serve the purpose.
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 9:14 AM, "Dulong, David" Dulongd@LabCorp.com wrote:
Have you looked at DataPower or CA SOA agent for SiteMinder?
Sent from my iPhone
On Jul 21, 2012, at 7:51 AM, "Info Sec" infosecm@gmail.com wrote:
Hi,
I'm looking for solutions to authorize my client and control the access to my web service resource.
What is the best way to implement the access control in web services .
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi all,
What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0?
Prasad,
I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP.
Thank you all.
Sent from my iPad
On Jul 21, 2012, at 6:52 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Datapower or F5 BigIP ASM should serve the purpose.
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 9:14 AM, "Dulong, David" Dulongd@LabCorp.com wrote:
Have you looked at DataPower or CA SOA agent for SiteMinder?
Sent from my iPhone
On Jul 21, 2012, at 7:51 AM, "Info Sec" infosecm@gmail.com wrote:
Hi,
I'm looking for solutions to authorize my client and control the access to my web service resource.
What is the best way to implement the access control in web services .
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I actually meant ASM but yeah, APM might be a better fit. If you already have F5 that might be a good starting point.
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 1:06 PM, Infosec infosecm@gmail.com wrote:
Hi all,
What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0?
Prasad,
I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP.
Thank you all.
Sent from my iPad
On Jul 21, 2012, at 6:52 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Datapower or F5 BigIP ASM should serve the purpose.
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 9:14 AM, "Dulong, David" Dulongd@LabCorp.com wrote:
Have you looked at DataPower or CA SOA agent for SiteMinder?
Sent from my iPhone
On Jul 21, 2012, at 7:51 AM, "Info Sec" infosecm@gmail.com wrote:
Hi,
I'm looking for solutions to authorize my client and control the access to my web service resource.
What is the best way to implement the access control in web services .
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Lol,
Funny that everybody answer on this kind of topic with "product based"
solutions.
Authentication and authz on webservices can be done with classic HTTP
mechanism, like header based auth (basic, ntlm etc.)
In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on
apache).
But authentication and authz are usually done with a service provider
contacting an identity provider.
You should look about SAML and SSO mechanism too.
So before looking commercial product, look what you need.
Matthieu
Le 21/07/2012 19:06, Infosec a écrit :
Hi all,
What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0?
Prasad,
I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP.
Thank you all.
Sent from my iPad
On Jul 21, 2012, at 6:52 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Datapower or F5 BigIP ASM should serve the purpose.
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 9:14 AM, "Dulong, David" Dulongd@LabCorp.com wrote:
Have you looked at DataPower or CA SOA agent for SiteMinder?
Sent from my iPhone
On Jul 21, 2012, at 7:51 AM, "Info Sec" infosecm@gmail.com wrote:
Hi,
I'm looking for solutions to authorize my client and control the access to my web service resource.
What is the best way to implement the access control in web services .
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
I agree and it is kinda silly how I just jumped to a product to solve a classic problem but let me explain. If your requirement support something easy and home grown and if you have the expertise (Security insight across all phases of SDLC for that solution), by all means you must explore what can be done w/o buying a new product.
But OTOH, if you already own a product that is capable of doing what you need, has been tested thoroughly (vetted by the vendor and other clients such as yours), has all the bells and whistles that you will have to spend money creating, then that should be your first choice.
The products mentioned in this thread also support SAML 2.0 and other WAF features and might help you hit the ground running with a few tweaks.
It's always a dilemma but take care of your business first. If business needs something tomorrow, don't get stuck on writing a homegrown solution to such common problems.
I am not affiliated to either of the products in any capacity whatsoever :)
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 4:40 PM, Matthieu Estrade mestrade@moresecurity.org wrote:
Lol,
Funny that everybody answer on this kind of topic with "product based" solutions.
Authentication and authz on webservices can be done with classic HTTP mechanism, like header based auth (basic, ntlm etc.)
In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on apache).
But authentication and authz are usually done with a service provider contacting an identity provider.
You should look about SAML and SSO mechanism too.
So before looking commercial product, look what you need.
Matthieu
Le 21/07/2012 19:06, Infosec a écrit :
Hi all,
What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0?
Prasad,
I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP.
Thank you all.
Sent from my iPad
On Jul 21, 2012, at 6:52 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Datapower or F5 BigIP ASM should serve the purpose.
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 9:14 AM, "Dulong, David" Dulongd@LabCorp.com wrote:
Have you looked at DataPower or CA SOA agent for SiteMinder?
Sent from my iPhone
On Jul 21, 2012, at 7:51 AM, "Info Sec" infosecm@gmail.com wrote:
Hi,
I'm looking for solutions to authorize my client and control the access to my web service resource.
What is the best way to implement the access control in web services .
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi Matthieu and Prasad,
I'm not prefer buying new product or a license.
We already have developers capable to implement what we need.
I'm using LDAP for authentication, but this is not enough.
There are may users and functions should be have limited access.
What I need implementing access control after authenticating my clients to be sure no one able to access unauthorized data.
SAML looks like same thing what I'm looking for.
Is there similar options?
Than you all.
Sent from my iPad
On Jul 22, 2012, at 2:41 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
I agree and it is kinda silly how I just jumped to a product to solve a classic problem but let me explain. If your requirement support something easy and home grown and if you have the expertise (Security insight across all phases of SDLC for that solution), by all means you must explore what can be done w/o buying a new product.
But OTOH, if you already own a product that is capable of doing what you need, has been tested thoroughly (vetted by the vendor and other clients such as yours), has all the bells and whistles that you will have to spend money creating, then that should be your first choice.
The products mentioned in this thread also support SAML 2.0 and other WAF features and might help you hit the ground running with a few tweaks.
It's always a dilemma but take care of your business first. If business needs something tomorrow, don't get stuck on writing a homegrown solution to such common problems.
I am not affiliated to either of the products in any capacity whatsoever :)
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 4:40 PM, Matthieu Estrade mestrade@moresecurity.org wrote:
Lol,
Funny that everybody answer on this kind of topic with "product based" solutions.
Authentication and authz on webservices can be done with classic HTTP mechanism, like header based auth (basic, ntlm etc.)
In your case, a Basic auth based on LDAP should be ok (mod_auth_ldap on apache).
But authentication and authz are usually done with a service provider contacting an identity provider.
You should look about SAML and SSO mechanism too.
So before looking commercial product, look what you need.
Matthieu
Le 21/07/2012 19:06, Infosec a écrit :
Hi all,
What do you think about LDAP or implementing the access control within the code such as using Oauth 2.0?
Prasad,
I think you mean F5 BigIP APM, I will read more about it since we have F5 BigIP.
Thank you all.
Sent from my iPad
On Jul 21, 2012, at 6:52 PM, Prasad Shenoy prasad.shenoy@gmail.com wrote:
Datapower or F5 BigIP ASM should serve the purpose.
Thank you,
Prasad N. Shenoy
On Jul 21, 2012, at 9:14 AM, "Dulong, David" Dulongd@LabCorp.com wrote:
Have you looked at DataPower or CA SOA agent for SiteMinder?
Sent from my iPhone
On Jul 21, 2012, at 7:51 AM, "Info Sec" infosecm@gmail.com wrote:
Hi,
I'm looking for solutions to authorize my client and control the access to my web service resource.
What is the best way to implement the access control in web services .
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
-This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the LabCorp Privacy Officer at privacyofficer@labcorp.com or call (877) 23-HIPAA / (877) 234-4722.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org