[OWASP-ESAPI] Notes on Access Controller and AccessReferenceMap

Alex Smolen me at alexsmolen.com
Wed Apr 29 00:42:49 EDT 2009

I was updating the .NET ESAPI and had a few notes on AccessController  
and AccessReferenceMap in the Java implementation.

- I think the parameters to isAuthorized (Key and runtime parameter)  
are pretty vague. What about subject, action, and resource, since this  
is a pretty typical definition of access control in most contexts  
(i.e. who does what to whom)?
- AccessControlRule should be in the reference, not in the interface.  
Nothing else in the interface relies on it, and it makes assumptions  
about how you want to implement access control, suggesting a level of  
complexity that may be unnecessary.
-Overall, I think the DefaultAccessController implementation is  
overkill. The typical access control calls (Is this user in the right  
role to even be here? Does this user have access to this particular  
account or file?) are pretty difficult to set up. Do others disagree?

-Why is there no way to get the list of indirect references? I could  
see this being useful in a variety of contexts. I’d propose changing  
Enumerator() to two methods, GetDirectReferences() and  
-In AccessReferenceMapTest the testUpdate, you have a “test to make  
sure old indirect reference is maintained after update”. However, this  
indirect reference is null both times, since this test occurs after  
you have removed. Are you sure this isn’t supposed to go before  
removing the user?
-You might consider returning Collections rather than Iterators, which  
are easier to iterate through with the for each loop, although this  
would break 1.4 compatibility so probably not.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090428/1e125568/attachment.html 

More information about the OWASP-ESAPI mailing list