Codereview-Authorization

From OWASP
Revision as of 10:17, 1 July 2008 by EoinKeary (Talk | contribs)

Jump to: navigation, search
OWASP Code Review Guide Table of Contents

Contents


Introduction

Authorisation is key in multiuser environments where user data should be segregated. different clients/users should not see other clients data (Horizontal authorisation). Authorisation can also be used to restrict functionality to a subset of users. "super users" would have extra admin functionality a "regular user" would not have access to (Vertical authorisation).

Authorisation is a very bespoke area in application development. It can be implemented via a lookup table in a users session which is loaded upon sucessful authentication. It coule be a realtime interrogation of a backend LDAP or database system upon each request.

Good Example

Check authorisation upon every user request.


String action = request.getParameter("action")
if (action == "doStuff"){
  boolean permit = session.authTable.isAuthorised(action); // check table if authoirsed to do action
}
if (permit){
 doStuff();
}else{
 throw new (InvalidRequestException("Unauthorised request"); // inform user of no authorisation
 session.invalidate(); // Kill session
}


Bad Example

Building the GUI based on the users authorisation. "If he cant see the control we wont be able to use it" 

- Common enough error. If a user has the URL the functionality can still be called. This is due to no authorisation check being perfromed upon every HTTP request.

Related Vulnerabilities