Dr. Drew Hwang, CIS, Cal Poly Pomona
Secure Web Development
Unrestricted URL Access
Authorization is a security measure in computing designed to specify the access and usage privileges to such resources as data, files, programs, and devices.
Types of Authorization - by Resources
- specify what users or roles are allowed to access certain files and programs that reside on the web server's file system
specify what users or roles are allowed to access certain pages or directories in the application.
used by many ASP.NET websites with forms-based authentication to support user accounts and to define portions of the site that are only accessible to authenticated users or users that belong to a certain role.
- specifies what users or roles are allowed to access certain databases and their associated resources of a DBMS.
Types of Authorization - by Entity
specify which web pages or entire directories can be only accessible to a specified subset of users.
page-level functionality can be turned on or off based on the currently logged in user through programmatic and declarative means.
Aply authorization rules on a user-by-user basis can grow into a bookkeeping nightmare. A more maintainable approach is to use role-based authorization
URL authorization rules can specify roles instead of users.