Authorisation comes full circle

I find it really interesting to look at access control of web-based applications to see how they have changed over the past decade.

When I first started working with Identity and Access management back in 1998/1999, web applications were still emerging and there functionality was limited. At that time people were building silo’d applications containing all of the security within each application. Then along came the web access management (WAM) vendors including Netegrity, Oblix etc. All of these vendors took a new approach to web application security. Their approach was to remove the security out of the application and instead, put it into a security framework which surrounded your applications. This became a common access point which provided a range of features including:

• Web-based SSO
• Authentication
• Authorisation
• Auditing

This was all well and good but as applications developed and became increasingly complex, it became harder to meet all of the applications’ security requirements through this framework. Sure, authentication was straight-forward. Lets authenticate the user and then pass a token to the application containing the user’s identity. This has been done over and over again and is now a very well-trodden path.

However, what about authorisation? This wasn’t so simple. Despite their claims of handling authorisation, the WAM products primarily worked on URL. They were able to carve up the URL into chunks and decide which user’s got access to which chunks. This was fine in some cases, but more often than not, was not enough for many applications.

As applications matured, there were more requirements to do complex authorisation based on defining access control at levels deeper than the URL. The WAM vendors answer typically was to pass some information from the user directory to the application and let the application perform that level of authorisation. I have deployed many WAM solutions during my consulting days. The majority of those used WAM to provide authentication but left the authorisation to the underlying applications. So, we ended up with a half-way house. WAM providing authentication and some high-level authorisation, with applications providing the more detailed authorisation. Not ideal!

Then as the market has matured even more, we see the advent of products like Oracle Entitlements Server which addresses this problem. How do we provide a solution which allows us to not only externalise authentication and the high-level (coarse-grained) authorisation but also the low-level (fine-grained) authorisation? We now have the answer to providing a complete solution in this area.

We can now use WAM to provide the authentication and coarse-grained authorisation whilst allowing an entitlements service to provide the fine-grained authorisation.

Surely, this is where the WAM vendors first imagined we would be, i.e. externalising all of the access control from the web application. It just seems that it has taken us a bit longer than expected to get there.

5 May 2009 - Posted by Paul Toal | Identity, Security | | No Comments Yet