59
votes
Is it ok to have validation layer before access control layer
It depends on whether knowing the validity of some input for a task that you aren't permitted to do is a security leak. If it is, you really should to do it the other way round.
The only safe ...
- 12.4k
25
votes
Is it ok to have validation layer before access control layer
Well, there are multiple types of validation:
Cheap basic sanity-checking, which verifies that the request is not obviously malformed.
This is typically at least partially duplicated client-side, to ...
- 9,309
15
votes
Is it ok to have validation layer before access control layer
There must be some validation before access control. Let's say SO's API has an endpoint "edit answer", then whether the user can edit a particular answer can depend on the answer (below a certain ...
- 15.6k
13
votes
Should access control be implemented in controller or repository layer?
Ideally, if you really require a high level of security, the DB itself should not return any data for which the requester does not have the permission. With this idealistic idea in mind, the answer ...
- 220k
10
votes
Accepted
What's the difference between policy vs permission based access control?
The classic example of policy based auth, which I'm sure you have seen if you have googled, is a alcohol selling app, which in (normal countries) would read:
Allow user if user.age > 18
this is ...
- 84.4k
10
votes
Accepted
RBAC vs PBAC vs ACL
Scenario A is just ACL. The permission table is the access control list.
Scenario B is RBAC, just as you suspected. As an exercise for you, think about extending your example for users belonging to ...
- 220k
8
votes
Should access control be implemented in controller or repository layer?
Security should be applied by your framework before the Controller.
In most frameworks this means you grant access to Controller Methods.
Controller
The controller will have access to the ...
- 84.4k
6
votes
Is there a way to prevent developers leaking data while they are developing?
In larger organizations it can sometimes make sense to establish different access levels to different parts of a database for different groups of people. That's why most relational databases usually ...
- 220k
6
votes
Accepted
Is XACML actually used and implemented?
I am the author of the XACML wikipedia page and I work for one of the leading vendors, Axiomatics.
Yes, XACML is very much used across a wide range of verticals: from finance (a lot of banks even ...
- 694
6
votes
Is it ok to have validation layer before access control layer
In addition to the possible frustration of receiving an 'access denied' after validating input; also keep in mind that the Validation layer, unless it is a very simple one, can always need information ...
- 322
4
votes
Accepted
What can I use as an alternative to protected interface methods in Java?
An abstract class and template pattern should be used to do this.
You mentioned that there will be a multiple-inheritance problem in your design. But is there anything stopping you follow the ...
- 164
4
votes
Dependency access control in DI
what limits developers from misusing those dependencies in inappropriate spots?
Nothing.
But nothing stops developers from misusing anything else in your code. DI isn't a tool to protect you from bad ...
- 26.1k
4
votes
Accepted
Efficient access control list for collections of objects returned by REST api
Of course the most natural approach is to list the possible actions for each item. In fact, a literal interpretation of the REST approach (which I don't necessarily subscribe to) would suggest to do ...
- 18.6k
3
votes
Customized access control using OAuth 2.0
To add-on to this answer, the Authorization Server (AS) would need some way to model these Access Policies (i.e., "User 1 can access Dashboard on DC1 but not DC2", etc.) somehow. In my experience, ...
- 31
3
votes
Accepted
Customized access control using OAuth 2.0
here's a list of few things worth pondering:
Resources are responsible for their own access control. The types of
clients and use cases can inform how you want to break down or group
together ...
- 146
3
votes
Accepted
Updating last resource access time when clients perform a GET
While not explicitly stated, when the spec is talking about about idempotence and side effects, it must be understood to be talking about the effects on the domain covered by the operation itself. ...
- 316
3
votes
What can I use as an alternative to protected interface methods in Java?
I think the problem is your outlook on component-based design, not the lack of a design pattern to support this outlook.
The purpose of a Java interface is to define the programmer's interface to the ...
- 442
3
votes
Accepted
Where to put domain knowledge for Authorization?
Your idea to use a service to hide the access control complexities is entirely valid. Doing it otherwise risks that the complex logic gets spread around and possibly duplicated and at the same time ...
3
votes
One person controls only one folder, in a repository
Git submodule might be a solution, but this really turns your repository into multiple unrelated repositories, where a top-level repository includes the submodules at a specific commit. To change code ...
- 136k
3
votes
Designing a role based system with more granularity
The right move here is to separate the two concepts. You have roles with a list of permissions, and then you have a sort of whitelist implementation where a given user can only access specific ...
- 22.9k
3
votes
Accepted
Implementing Permissions Control for Related Data Resources
Here is a longer response to your question. The challenge you are hitting is that you have authorization requirements that have multiple parameters / dimensions to them. You want to define permissions ...
- 694
3
votes
Accepted
OWASP Broken Access Control by example: preventing user's from reading/writing data that isn't theirs
Let's ignore JWT tokens for the moment and think of a classical session based authentication mechanism using cookies:
a user accesses a login page;
they use their username and password to login;
...
- 3,660
3
votes
Storing a large number of user permissions
In my experience, User Groups/Roles separated from User IDs is generally the preferred way to go with this, and have users assigned to specific roles, not assigned to specific permissions.
It sounds ...
3
votes
Accepted
Clean Architecture and Access Control
Security is a cross-cutting concern that can span several layers, and it does in different formats and ways from layer to layer.
For example
Blue & Green circles
We implement how actors are ...
- 15k
2
votes
Is XACML actually used and implemented?
The Wikipedia article lists major implementations : "SunXACML, Axiomatics, AuthzForce, InfoBeyond Technology" so it is being used.
I don't think many companies manage their regulatory compliance with ...
- 84.4k
2
votes
Accepted
Thinking about roles and permissions
Permission checking should go in service or controller?
Permission checking can go in the controller, unless you find it convenient to push it back into the service. It's the only substantial logic I ...
- 201k
2
votes
Role vs Permission Based Access Control
Although @Rotem's answer is excellent he got one detail wrong, you should not check the user for the role. You instead call checkAccess() on the session (not necessarily and HTTP session, I usually ...
- 1,243
2
votes
Is it ok to have validation layer before access control layer
That depends on what you mean by validation layer - if by that you just mean checking the syntax of the request, that's safe and something you have to do anyway. If your 'validation' uses any ...
- 301
2
votes
Is there a way to prevent developers leaking data while they are developing?
You will see varying practice, with some more traditionally minded DBAs maybe saying at the extreme 'never let developers write SQL, wrap everything in stored procedures'. My answer, for the ...
- 166
2
votes
How to efficiently pass permissions that control view and access of specific front-end elements from backend to the SPA using JWT
It sounds like JWTs are overly complex solution to a problem that doesn't exist, in this case. From what you described, this is just a presentation issue (that happens to be about security) as opposed ...
- 857
Only top scored, non community-wiki answers of a minimum length are eligible