Dr. Drew Hwang, CIS, Cal Poly Pomona
Home
101
WDD
ECOMM
SWA
SP
Secure Web Development
Home
Basics
Offense
Defense
SDLC
Code
Access
Parameter
Perimeter
Browser
Industry
Resource
Access
Authentication
Authorization
Unrestricted URL Access
Print
Authorization
Authorization is a security measure in computing designed to specify the access and usage privileges to such resources as data, files, programs, and devices.
Types of Authorization - by Resources
File authorization
- specify what users or roles are allowed to access certain files and programs that reside on the web server's file system
URL authorization
specify what users or roles are allowed to access certain pages or directories in the application.
used by many ASP.NET websites with forms-based authentication to support user accounts and to define portions of the site that are only accessible to authenticated users or users that belong to a certain role.
Data authorization
- specifies what users or roles are allowed to access certain databases and their associated resources of a DBMS.
Types of Authorization - by Entity
User-Based Authorization
specify which web pages or entire directories can be only accessible to a specified subset of users.
page-level functionality can be turned on or off based on the currently logged in user through programmatic and declarative means.
Role-based Authorization
Aply authorization rules on a user-by-user basis can grow into a bookkeeping nightmare. A more maintainable approach is to use role-based authorization
URL authorization rules can specify roles instead of users.