Difference between revisions of "ESAPI Access Control"

From OWASP
Jump to: navigation, search
Line 12: Line 12:
 
Custom Case
 
Custom Case
 
* isValid(user, action_string, data)
 
* isValid(user, action_string, data)
 +
 +
consider using objects provided by the underlying vm
 +
* for representing resources is policy checks (e.g. Java Permissions) and
 +
* for representing the properties of the invocation context (e.g. the Java AcessControlContext)
 +
 +
ensure that the policy system can support different policies being enforced for different instances of the
 +
same app.

Revision as of 10:03, 11 December 2008

Feature Overview

TODO

Possible Enhancements

Currently the access controller simply allows for lookup on an access control matrix. Enhancements will allow for special function(s) to be created for more complex access control rules (for example, a user has access to a file but only Monday - Friday, not on weekends).

So the simple case (lookup in an access control matrix:

  • isValid(user, action_string)

Custom Case

  • isValid(user, action_string, data)

consider using objects provided by the underlying vm

  • for representing resources is policy checks (e.g. Java Permissions) and
  • for representing the properties of the invocation context (e.g. the Java AcessControlContext)

ensure that the policy system can support different policies being enforced for different instances of the same app.