W3C home > Mailing lists > Public > public-rww@w3.org > November 2012

Re: [WAC] regexps in WebAccessControl

From: mike amundsen <mamund@yahoo.com>
Date: Sun, 18 Nov 2012 13:11:14 -0500
Message-ID: <CAPW_8m4GR4GRJSeLMjGMGLVR62SAiJLXZSJv1soBi85B9ECCXw@mail.gmail.com>
To: Ruben Verborgh <ruben.verborgh@ugent.be>
Cc: nathan@webr3.org, Read-Write-Web <public-rww@w3.org>
<snip>
In the proposed method, using a regex, the method would actually work on a
whole set of URIs:

  hasAccess(URLpattern, method, identity) = true/false

In this solution, you're not identifying a resource.
Thereby, you're restricting the URIs your resources can have (or the
permissions a resource with a certain URI pattern can have).
</snip>

so the problem here is not securing based on URI. the problem here is an
implementation detail that uses a regular expression to secure based on URI
*pattern*, right?

mca+1.859.757.1449
skype: mca.amundsen
http://amundsen.com/blog/
http://twitter.com/mamund
https://github.com/mamund
http://www.linkedin.com/in/mikeamundsen


On Sun, Nov 18, 2012 at 12:59 PM, Ruben Verborgh <ruben.verborgh@ugent.be>wrote:

>  i *always* (as far back as i can remember) secure the interface (resources
>> on the server) via the URL.
>>
>
> I secure by resource:
>
>   hasAccess(resource, method, identity) = true/false
>
> Of course, you can say that, since a resource is identified by a URL, this
> can equally be
>
>   hasAccess(URL, method, identity) = true/false
>
> But this is because the URI uniquely identifies a resource.
>
> In the proposed method, using a regex, the method would actually work on a
> whole set of URIs:
>
>   hasAccess(URLpattern, method, identity) = true/false
>
> In this solution, you're not identifying a resource.
> Thereby, you're restricting the URIs your resources can have (or the
> permissions a resource with a certain URI pattern can have).
>
> Ruben
>
Received on Sunday, 18 November 2012 18:12:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Sunday, 18 November 2012 18:12:03 GMT