[OWASP-ESAPI] (no subject)
Kevin W. Wall
kevin.w.wall at gmail.com
Tue Nov 3 14:29:42 EST 2009
Jim Manico wrote:
> My mistake. RBAC is alive and well.
> What I was trying to say was:
> if (user.isInRole("MANAGER"))
> ...is dead, and is something that I consider to be an anti-pattern.
Unfortunately, IRL, it's *not* dead, but it definitely *should* be.
> if (user.isAuthorized(<current activity>, <current object>))
> .... is a better way to implement access control controls in code, IMO.
OK, agreed. But if you think about it, on the surface at least, this doesn't
seem too far from providing a direct interface into Butler Lampson's original
Access Control Matrix model. (Not that it would imply that as an
> The issue of how to correctly apply access control programatically (activity based) can
> relate to RBAC, ABAC and CBAC.
Personally, whenever possible (or perhaps I should say "practical"), I'm in
favor of separating out the course-grained access control decisions into
some external policy enforcement point (PEP) so that it doesn't clutter
the mainline code as in your anti-pattern, above. In general, this is not
always practical for all access control decisions, especially those that
are the fine-grained ones that require application specific knowledge or
some external workflow. If it were an easy problem it would have been
solved long ago. However, developers no doubt make it much more difficult
by putting those types of solutions off into everything else is completed
and then trying to shoehorn it in during the last 2 weeks while they are
going through an integration test period. (At least that's been my experience.)
It's often not until then that they realize these things are even missing.
> If you know of any solid whitepaper on this topic, please point me in
> that direction.
The only promising papers that I've turned up on this topic seem be behind
some payment-required portal such as the IEEE Digital Ligrary or the
ACM Portal. I access neither frequently enough to make it worth the $$.
I didn't try searching Google Scholar. Probably would have more luck there.
But if I run across anything, I'll be sure to let you know. (Actually, a good
person to ask about this would be Ross Anderson. He's pretty good about
answering private emails. IMO, his Security Engineering book should be required
reading for the information security field.)
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
More information about the OWASP-ESAPI