W3C home > Mailing lists > Public > public-appformats@w3.org > March 2007

Re: [AC] Access Control Algorithm

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 27 Mar 2007 15:38:18 +0200
To: "Thomas Roessler" <tlr@w3.org>
Cc: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.tpun54ff64w2qv@id-c0020>

On Tue, 27 Mar 2007 15:24:23 +0200, Thomas Roessler <tlr@w3.org> wrote:
>> The advantages of this proposal are that each header rule and
>> each processing instruction contributes one item which is
>> individually analyzed. It's not really clear why this is needed
>> or desirable though especially as it also allows scenarios as
>> pointed out above. The main problem with this approach is that
>> it's quite complex to grasp
>
> What's complex about it again?

  (1) It's hard to explain how it works. The WG has repeatedly
      misunderstood the model.

  (2) It's unclear what problem having them grouped solves. All
      problems that are solved by this proposal are also solved
      by the other (two global lists) proposal.

  (3) People can easily misunderstand it. The example I included
      should demonstrate that I think.


>> The other idea which was specified initially is that all rules
>> specified by HTTP headers and processing instructions are
>> combined into two global lists. One list of allow rules and one
>> list of exceptions to those allow rules. (The latter could
>> probably be called "deny" as it would be effectively the same.)
>
>> The algorithm for this would be that once both lists are
>> constructed you first match the request URL against the items in
>> the allow list and if there's match and there's no match in the
>> exception / deny list you grant access. Otherwise access is
>> denied. (Assuming that the access control read policy is
>> applicable to the requested resource.
>
> So this is equivalent to the one-pair special case of the first
> proposal, right?

Yes, except that the one-pair is formed using all HTTP headers and  
processing instructions from the resource. The rest should remain  
equivalent imo.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 27 March 2007 13:38:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:10:21 GMT