Samstag, 19. April 2008

RESTful Authorization Model Considerations

Considering the fact that URIs map to resources in a RESTful design, an authorization model almost automatically means a URI authorization model:
  • URIs are subject to authorization decisions
  • URIs offer a hierarchical authorization scheme
  • additionally, the limited list of allowed actions (verbs) leads way to a simple definition of ACLs (Access Control List), more or less the same as for file systems (read,write etc etc)
All in all this design is quite a non-event since it all fits together quite obviously.

One thing to consider is the old question of attribute based security decisions. A real world example is a blog where the author first checks the comments before publishing them. The attribute would be whether the comment already has been reviewed or not.

There are 2 possibilities to do do the authorization check in a declarative manner:
  1. either the ACL is attached directly to the resource
  2. or the resources (posts to be reviewed) are stored in another place of the URL hierarchy, e.g. '/comments/review' instead of '/comments'. The ACL would be attached to the directory instead of the resource itself (directory being a resource in its on right)
Both make use of ACL which looks something like this:

  • reviewer:read/write/delete (this allows to move)
  • author: read/write
Both possibilities have got their respective advantages. The second one seems to be easier, but has an impact on the hierarchy of resources. Is it allowed to define a resource hierarchy according to a cross-cutting concern like security?

Keine Kommentare: