- From: mike amundsen <mamund@yahoo.com>
- Date: Sun, 18 Nov 2012 13:11:14 -0500
- To: Ruben Verborgh <ruben.verborgh@ugent.be>
- Cc: nathan@webr3.org, Read-Write-Web <public-rww@w3.org>
- Message-ID: <CAPW_8m4GR4GRJSeLMjGMGLVR62SAiJLXZSJv1soBi85B9ECCXw@mail.gmail.com>
<snip> In the proposed method, using a regex, the method would actually work on a whole set of URIs: hasAccess(URLpattern, method, identity) = true/false In this solution, you're not identifying a resource. Thereby, you're restricting the URIs your resources can have (or the permissions a resource with a certain URI pattern can have). </snip> so the problem here is not securing based on URI. the problem here is an implementation detail that uses a regular expression to secure based on URI *pattern*, right? mca+1.859.757.1449 skype: mca.amundsen http://amundsen.com/blog/ http://twitter.com/mamund https://github.com/mamund http://www.linkedin.com/in/mikeamundsen On Sun, Nov 18, 2012 at 12:59 PM, Ruben Verborgh <ruben.verborgh@ugent.be>wrote: > i *always* (as far back as i can remember) secure the interface (resources >> on the server) via the URL. >> > > I secure by resource: > > hasAccess(resource, method, identity) = true/false > > Of course, you can say that, since a resource is identified by a URL, this > can equally be > > hasAccess(URL, method, identity) = true/false > > But this is because the URI uniquely identifies a resource. > > In the proposed method, using a regex, the method would actually work on a > whole set of URIs: > > hasAccess(URLpattern, method, identity) = true/false > > In this solution, you're not identifying a resource. > Thereby, you're restricting the URIs your resources can have (or the > permissions a resource with a certain URI pattern can have). > > Ruben >
Received on Sunday, 18 November 2012 18:12:02 UTC