Persevere‘s security system provides a powerful infrastructure for controlling access to a system by combining the best aspects of capability-based security with role-based security. Persevere has a full user management system and granular per-object access control with inheritance. This system is designed such that it is very easy to use the default Persevere security to handle your access or integrate with an existing authentication system. Any part of the security system can be redefined and customized. Persevere can also be started without enabling security to make it easier to start development.
As web applications, services and mashups evolve, a perennial problem begins to assert itself—the issue of authorization (or in layman’s terms, making sure both application and service know who you are). A number of different approaches have been developed; one such approach is the OAuth specification, which is designed as a fool-proof way of validating requests.
Because of the growing popularity of the OAuth protocol, we’ve added support for it to the Dojo Toolkit in the form of dojox.io.OAuth—which can be used to sign any request made with the Dojo Toolkit’s various Ajax methods, including XHR, IFrame and Script transports.
Security in Ajax web applications is of growing importance. While the client-server model is very useful for architecting web applications, the web security is model is not client-server, but rather a client-deputy-server model. Understanding this security model is important for building secure web applications, and it is becoming even more important as we build mashups and web applications that utilize cross-site resources.