ESAPI Swingset Interactive - AccessControl
Tutorial
The AccessController interface defines a set of methods that can be used in a wide variety of applications to enforce access control. In most applications, access control must be performed in multiple different locations across the various application layers. This class provides access control for URLs, business functions, data, services, and files.
For Forced Browsing lab we need first to set the following url access rules in the .esapi\fbac-policies\URLAccessRules.txt file.
# URL Access Rules
#
admin_solution.jsp | any | allow |
admin_solution.jsp | admin | allow |
In the Forced Browsing lab, the following ESAPI function is used:
boolean isAuthorizedForURL(String url)
Checks if an account is authorized to access the referenced URL.
Returns true, if is authorized for URL
Once you click on the test url. The requested jsp calls the ESAPI's isAuthorizedForURL function. It displays the success and failure messages depending upon the boolean value returned by the function.
The jsp also displays the boolean value returned by calling ESAPI.accessController().isAuthorizedForURL(request.getRequestURI()); and the log message in case of authorization failure.
ESAPI's AccessController Interface includes:
- assertAuthorizedForData(java.lang.String key) Checks if the current user is authorized to access the referenced data. This method simply returns if access is authorized.
- assertAuthorizedForData(java.lang.String action, java.lang.Object data) Checks if the current user is authorized to access the referenced data.
- assertAuthorizedForFile(java.lang.String filepath)Checks if an account is authorized to access the referenced file.
- assertAuthorizedForFunction(java.lang.String functionName)Checks if an account is authorized to access the referenced function.
- assertAuthorizedForService(java.lang.String serviceName) Checks if an account is authorized to access the referenced service.
- assertAuthorizedForURL(java.lang.String url) Checks if an account is authorized to access the referenced URL.
- boolean isAuthorizedForData(java.lang.String key) Checks if an account is authorized to access the referenced data, represented as a String.
- boolean isAuthorizedForData(java.lang.String action, java.lang.Object data) Checks if an account is authorized to access the referenced data, represented as an Object.
- boolean isAuthorizedForFile(java.lang.String filepath) Checks if an account is authorized to access the referenced file.
- boolean isAuthorizedForFunction(java.lang.String functionName) Checks if an account is authorized to access the referenced function.
- boolean isAuthorizedForService(java.lang.String serviceName) Checks if an account is authorized to access the referenced service.
- boolean isAuthorizedForURL(java.lang.String url)Checks if an account is authorized to access the referenced URL.