W3C home > Mailing lists > Public > public-appformats@w3.org > March 2007

Re: [AC] Access Control Algorithm

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 27 Mar 2007 15:24:23 +0200
To: Anne van Kesteren <annevk@opera.com>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <20070327132423.GN3485@raktajino.does-not-exist.org>

On 2007-03-27 14:53:49 +0200, Anne van Kesteren wrote:

> The advantages of this proposal are that each header rule and
> each processing instruction contributes one item which is
> individually analyzed. It's not really clear why this is needed
> or desirable though especially as it also allows scenarios as
> pointed out above. The main problem with this approach is that
> it's quite complex to grasp

What's complex about it again?

> The other idea which was specified initially is that all rules
> specified by HTTP headers and processing instructions are
> combined into two global lists. One list of allow rules and one
> list of exceptions to those allow rules. (The latter could
> probably be called "deny" as it would be effectively the same.)

> The algorithm for this would be that once both lists are
> constructed you first match the request URL against the items in
> the allow list and if there's match and there's no match in the 
> exception / deny list you grant access. Otherwise access is
> denied. (Assuming that the access control read policy is
> applicable to the requested resource.

So this is equivalent to the one-pair special case of the first
proposal, right?

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 27 March 2007 13:24:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:21 GMT