Security in Persevere

By on March 6, 2009 1:01 am

Persevere‘s security system provides a powerful infrastructure for controlling access to a system by combining the best aspects of capability-based security with role-based security. Persevere has a full user management system and granular per-object access control with inheritance. This system is designed such that it is very easy to use the default Persevere security to handle your access or integrate with an existing authentication system. Any part of the security system can be redefined and customized. Persevere can also be started without enabling security to make it easier to start development.

Introducing OAuth in DojoX

By on February 19, 2009 3:03 am

As web applications, services and mashups evolve, a perennial problem begins to assert itself—the issue of authorization (or in layman’s terms, making sure both application and service know who you are). A number of different approaches have been developed; one such approach is the OAuth specification, which is designed as a fool-proof way of validating requests.

Because of the growing popularity of the OAuth protocol, we’ve added support for it to the Dojo Toolkit in the form of—which can be used to sign any request made with the Dojo Toolkit’s various Ajax methods, including XHR, IFrame and Script transports.

Security in Ajax

By on September 25, 2008 12:38 am

Security in Ajax web applications is of growing importance. While the client-server model is very useful for architecting web applications, the web security is model is not client-server, but rather a client-deputy-server model. Understanding this security model is important for building secure web applications, and it is becoming even more important as we build mashups and web applications that utilize cross-site resources.

In a client-server model, the client acts on behalf of the user, and the server trusts the client to the degree that a user is authorized. In the client-deputy-server model, the deputy (the browser) acts on behalf of the user, with suspicion of the client (web page/JavaScript), taking responsibility for some aspects of security, limiting client to client interaction. By understanding the mechanisms for the deputy boundaries, servers can appropriately participate in the security model with proper trust for the browser to act on behalf of the user. We will look at how to secure resources from being accessed from the wrong clients and protect clients from malicious server code.