Security and Authorization
Authorization—what’s that all about? Did you think we’d already done security in Chapter 5? Shouldn’t we be finished with it? Do we really need to keep looking at security? Well, we did do some security work in Chapter 5, but we in no way finished the subject. In Chapter 5, we focused on authentication. We found strategies for letting our users prove who they are. However, just because our web site knows who we’re dealing with doesn’t mean that we know what to do with them. What rights to data do they have? What can they see? What can they do? Our security system is URL based, so we know we were able to allow certain users access to only certain pages, but everyone is allowed to use the RPC mechanism, so if that’s not secure, nothing is. On top of this, just because we know who’s logged in doesn’t mean we can even be sure whether the request is coming from our users; it could potentially come from a malicious script running in their browser.
KeywordsClient Side Service Layer White List Forum Post Security Hole
Unable to display preview. Download preview PDF.