RESTful Authorization Model Considerations

Considering the fact that URIs map to resources in a RESTful design, an authorization model almost automatically means a URI authorization model:

• URIs are subject to authorization decisions
  
• URIs offer a hierarchical authorization scheme
  
• additionally, the limited list of allowed actions (verbs) leads way to a simple definition of ACLs (Access Control List), more or less the same as for file systems (read,write etc etc)

All in all this design is quite a non-event since it all fits together quite obviously.

One thing to consider is the old question of attribute based security decisions. A real world example is a blog where the author first checks the comments before publishing them. The attribute would be whether the comment already has been reviewed or not.

There are 2 possibilities to do do the authorization check in a declarative manner:

1. either the ACL is attached directly to the resource
   
2. or the resources (posts to be reviewed) are stored in another place of the URL hierarchy, e.g. '/comments/review' instead of '/comments'. The ACL would be attached to the directory instead of the resource itself (directory being a resource in its on right)
   

Both make use of ACL which looks something like this:

ACL(resource):

• reviewer:read/write/delete (this allows to move)
• author: read/write

Both possibilities have got their respective advantages. The second one seems to be easier, but has an impact on the hierarchy of resources. Is it allowed to define a resource hierarchy according to a cross-cutting concern like security?