This is the final article in a three-part series on Web 2.0 access control. In preceding articles we descibed how the principles of user-centric identity and organization-centric authorization support the “outsourcing” of access control in Web application development. We recommended a set of access control “best practices.”
In this article we look at an example of these practices in action using a dummy PHP application called FooApp. The examples make use of DACS – the Distributed Access Control System. DACS provides lightweight, high-performance distributed access control and single sign-on across a federation of Apache HTTP servers.
At the heart of DACS is a powerful “rules engine” which enforces organization access control policies expressed in a compact XML syntax. The DACS engine is the basis for an Apache module, mod_auth_dacs which implements access control on all “DACS-wrapped” Web content and services served by Apache. The same rules engine drives a standalone command,(dacscheck), which may be used by any application (Web or otherwise) to externalize access control logic. Another command, dacstransform, dynamically customizes the content of an HTTP response based on attributes of the request. The author’s demonstration site provides numerous examples of DACS lightweight access control.
Web 2.0, Access Control, Part 3