Access Control Overview

For many web applications, it’s important that only certain users be permitted to access protected resources. A subscription-based online newspaper (for example, The New York Times) might only want the headline articles to be freely available while the rest of its content is accessible only to paying customers. Enforcing this kind of control means that you need to have a strong access control system.

Formally defined, an access control system is a mechanism that regulates access to data or functionality by determining whether a subject is permitted to perform an operation on a target object. Informally, an access control mechanism determines whether Joe User (our subject) is allowed to view (an operation) the current balance (the object) in his online bank account, as seen in Figure 3-1.

Figure 3-1 A simple model of access control

To make this determination, the access control mechanism relies on two related processes—authentication and authorization. Authentication is essentially proving that you are who you claim to be. Continuing our previous example, Joe User authenticates to his banking website by providing his username and password.

Authorization is the process of determining whether the validated identity has the rights to do what they want to do. Because authorization looks up permissions based on a confirmed identity, it must follow after authentication. Another way of looking at this is that you can have authentication without authorization, but you can’t have authorization without authentication. As it relates to Joe, we want the access control system to determine whether he is allowed to read the current balance of his bank account, so he must first prove his identity to the system (authentication), and then the system will determine whether he has the rights to view the account balance (authorization). A high-level overview of the access control process is shown in Figure 3-2.

Figure 3-2 High-level overview of the access control process