Extending Authorization Capabilities of Object Relational/Graph Mappers by Request Manipulation
Sprache des Vortragstitels:
Englisch
Original Tagungtitel:
DEXA 2022
Sprache des Tagungstitel:
Englisch
Original Kurzfassung:
Enforcing authorization for web applications must be done on the server side.
Thus, either the backend or the persistent storage are suitable layers.
From a developer's point of view, we want to use a framework to automate creating persistent storage models and to map the entities between storage and backend.
However, not all such frameworks offer sufficient authorization support.
From a scientist's perspective, we want to generally combine the filtering capabilities of the persistent storage with the advantages of using a mapper framework.
Therefore, we propose to intercept the communication between the backend and the mapper framework and thus provide a central point of authorization.
This offers the advantage that developers are unlikely to inadvertently introduce security vulnerabilities.
The request is modified by adding a filter to return only authorized entities.
Filtering directly in the storage saves performance and bandwidth besides reducing development and maintenance effort.