The latest Ste-Reference newsletter is reprinted here. The featured article is “Web 2.0 Access Control: Part 1” by Rick Morrison. [Site Reference Newsletter]


The latest Site-Reference newsletter is reprinted here.

Site Reference Home Unsubscribe from this List Advertise Here

Web 2.0 Access Control: Part 1

by Rick Morrison

So – you are wrapping up development of yet another Web app. The database is in place, CRUD functions are working, user interface and reports have been signed off. Now your thoughts are turning to access control. Just enough time to splice in that trusty user authentication and roles module, make a few tweaks and move on to the next project.

Wait! Do you really want to contribute yet another authorization stovepipe to the growing forest? We all curse the proliferation of authentication and authorization “solutions” on the Web. Yet we continue to treat access control as an after thought.

Developers accept the benefits of adopting third-party solutions for common functions such as data storage, cryptography, numerical analysis, parsing, etc., yet we continue to roll our own application access control solutions. Why? The disadvantages of RYO are obvious: application-specific user accounts and passwords proliferate, each application reinvents how roles should be implemented — perhaps even a language for specifying access constraints — and, if integration with an external authentication framework is required, each application must implement interfaces to the drivers. This is irritating to our users, a headache for those who administer the applications, and costly to maintain.

In this three-part series we develop a set of Web 2.0 best practices for “outsourcing” the access control problem. Following these practices produces applications that readily integrate into an organization’s existing access control infrastructure, and simplifies application development and maintenance.

Examples are based on DACS – the Distributed Access Control System. DACS is a mature, lightweight open source system for single sign-on and data-driven access control.

The Basics

It’s often said that access control is about who, what and how: who is authorized access to what and under what conditions (how). On the Web what is often an HTTP request, but it might also be an operation defined in the context of an application, a database or file access. And how might include conditions such as the time of the request, the type of request (eg GET, POST, DELETE), the value of a parameter, etc.

Usually we equate who with a human user but it may be any subject capable of being authenticated by demonstrating knowledge of a secret (such as a password), or by possession of some other information (such as a certificate or biometric). By authenticating, a subject provides proof of identity that a Web site or application may rely on in authorizing various forms of access to content or services.

There are a thousand details, but at its simplest that’s about it. Blogs, Wikis, Online Shops, Web database applications, and vanilla Web sites need to know who they are interacting with and what access rights they have.

What’s the Problem?

The first problem is for users: how to prove their digital identity on the Web. The unfortunate answer is: over and over again at every site or application they interact with. Each site, each application within a site, defines its own “identity silo.” Dick Hardt, in his excellent presentation on Identity 2.0, describes these legacy approaches to digital identity as site-centric. Sites understand their identity not your identity. Typically, such sites or applications authenticate users by some form of username/password lookup. Your identity is recognized only at that site; you can’t take it anywhere else. It’s their user list; it’s their identity.

The second problem is for software developers. Even if developers could depend on the availability of a universal digital identity system, they still have to implement authorization. It isn’t enough to know just who: an application often needs to know what roles the user has, what groups she belongs to, and what other conditions must be satisfied to allow access. But these attributes aren’t carried in a user’s third party credentials; they are assigned by the site or application. It might be your identity but it’s still the application’s roles database and policy enforcement mechanism.

Something is wrong with this picture. The assignment of roles and the definition of access policies clearly is the business of the organization deploying the application yet the application itself is dictating how these will be defined. And each application does so in its own idiosyncratic way. If Identity 1.0 is site-centric, it seems that “Authorization 1.0″ is application-centric.

The problems of site-centric identity and application-centric authorization are hardly limited to the Internet. Even corporate intranets are affected, despite being operated by organizations with an interest and capacity to manage the provisioning of user accounts and the deployment of Web content and applications. Corporate organization structure is partly to blame: the IT environment of large companies and government bureaucracies is hardly homogeneous. Over time organizations evolve, adding and reorganizing departments. Internal Web sites evolve to reflect these changes. Departments adopt different Web servers, different application platforms, deploy applications according to their differing mandates, and often require autonomous control over access to departmental content and services.

Common IT service groups are reluctant to make changes to the legacy platform due to its complexity and fear of breakage. Instead they often respond with arcane mechanisms for centralized user account creation and propagation or purchase elaborate commercial identity management applications. Employees have a single username and password (modulo propagation delays) but the holy grail of single sign-on is rarely achieved. It is common for corporate users to be required to authenticate and re-authenticate as they cross departmental and application boundaries. HTTP basic/digest authentication, by partitioning a URI space into realms, tends toward a fenced Web landscape. And today’s applications that implement their own user accounts are seldom amenable to integration within an organization’s existing authentication environment.

Identity 2.0 and Authorization 2.0

Hardt believes that Web 2.0 will run on user-centric identity: identity verified using portable credentials provided by a trusted third party, just as passports and driver licenses are used to prove identity in non-digital transactions. The credentials are said to be asymmetric: the issuer is unaware of where or how they are being used, making for a highly-scalable architecture.

We suggest that Web 2.0 authorization will be organization-centric:
organizations will define roles, associate roles with users, and set access policies within an organization-wide authorization framework that is external to its applications. Authorization 2.0 applications will understand Identity 2.0 and will exploit these external authorization frameworks to drive their access control logic.

Standards Efforts

If, as some say, Web 2.0 is the “writable Web,” authentication and authorization will be central to its success. But there is a gulf between current practice and the vision, and standards will be critical to bridging it.

A longer list is included in the references, but special mention must be made of two key OASIS standards initiatives: SAML, the Security Assertion Markup Language, and XACML, the eXtensible Access Control Markup Language.

SAML defines a mechanism for the exchange of authentication and authorization information between organizations. In particular, SAML provides a way to implement single sign-on over the Web. Participating SAML identity providers pass assertions which may be relied upon by service providers in making access control decisions. XACML, on the other hand, defines an XML schema and namespace for a language in which to express access control policies. A service provider might drive its access control decisions off an XACML policy store.

SAML and XACML continue to gain traction in large organizations and federated Web settings, but their expressive power and flexibility cannot be exploited without significant and on-going coordination effort amongst participating organizations. For now, SAML and XACML may simply be too heavy and the ROI too small for wide-spread adoption. For many organizations, baby-steps are needed to make progress towards the Web 2.0 vision.

Conclusion

In this article we have argued the merits of user-centric identity and organization-centric authorization as foundations for Web 2.0. In the next article in the series we outline a light-weight approach to access control based on these principles.

References

DACS ““ the Distributed Access Control System: a lightweight distributed authentication and authorization framework for the federated Web.

Identity 2.0 Presentation, Dick Hardt, Sxip Identity.

OpenID a decentralized identity based on “ownership” of a URL at an OpenID-enabled server.

OpenSAML a set of open source Java and C++ libraries implementing the SAML 1.1 Specification. OpenSAML has been produced by Internet2 members as part of their work on the Shibboleth Project.

xdi.org: an international non-profit public trust organization governing open public XRI(Extensible Resource Identifier) and XDI (XRI DataInterchange) infrastructure.

About This Author

is President of Metalogic Software Corporation, a software development firm specializing in federated applications and services for Web 2.0. With DSS – Distributed Systems Software, Metalogic is co-developer of DACS – the Distributed Access Control System(http://dacs.dss.ca). Rick has over fifteen years experience developing innovative software for the Web in commercial, government and research settings. Contact Rick at http://2idi.com/contact/@metalogicsoftware.

More Articles

Top 5 Myths About Article Marketing

I’ve heard every excuse, misconception and myth about why people can’t profit from article marketing. The bottom line is article marketing has never been more effective. This article debunks the myths that others are saying to prevent you from getting all of the benefits of article marketing.

Tale Of Two Internet Marketers

Read this entertaining story about how two internet marketer’s started out from nothing, but ended up in very different places. You’ll discover the 4 critical factors that led to the Million Dollar Internet Marketer.

Which is Best to Article Write or to Blog

With the popularity of weblogs, or blogs, these days, many webmasters are beginning to wonder if article writing has become a thing of the past. Used to be, for promotion purposes webmasters would deposit articles with links into web directories. This was done in the hope that the article would be displayed on many different websites with links leading back to their own. For the most part, this worked and it worked well for building backward links and higher ranking in search engines. Is it still the way to go for promoting a website? The answer is–it depends.

2006 Reflections and 2007 Predictions

For the most part in 2006, the world escaped Natures wrath, but people were far less kind to their neighbors. Again technology has brought the tragedies of war and the personal stories of families from the farthest corners of the earth, to the door steps of the west. Citizen journalism and Internet propagation has added a complex layer to the stories. The growth of YouTube, Blogs, Podcasting and RSS have personalized the media and given listeners and watchers a personal connection to the reports.

Do you like Site Reference, but don’t want to receive newsletters? Use our RSS feed to get our latest articles and forum discussions. You can find out more about our RSS feeds by checking out RSS Feed Section.

Newsletter Information

Want to read more articles? Go to the front page of Site Reference. We also have plenty of articles in our archives.

If you no longer wish to receive this newsletter you may unsubscribe by going to http://www.site-reference.com/memberManagement/index.php or by clicking here.

Our address:
2554 49th Street East
Inver Grove Heights, MN 50076

*IMNewswatch would like to thank Site-Reference for granting permission to reprint the latest newsletter.