7 Configuring authorization: restricting access
This chapter covers
- Defining authorities and roles.
- Applying authorization rules on endpoints.
Some years ago, I was skiing in the beautiful Carpathian mountains when I witnessed this funny scene. About ten, maybe fifteen people were queuing to get into the cabin to go at the top of the ski slope. A well-known pop artist showed up, accompanied by two bodyguards. He confidently strode up, expecting to skip the queue because he was famous. Reaching the head of the line, he got a surprise. “The ticket, please!” said the person managing the boarding, who then had to explain, “Well, you first need a ticket, and second, there is no priority line for this boarding, sorry. The queue ends there.” He pointed to the end of the queue.
In most of the cases in life, it doesn’t only matter who you are. We can say the same about software applications. It doesn’t only matter who you are when trying to access a specific functionality or data.
Up to now, we only discussed authentication, which is, as you learned, the process in which the application identifies the caller of a resource. In the examples we’ve worked on in the previous chapters, we didn’t implement any rule to decide whether to approve the request. We only cared if the system knows them or not. In most applications, it doesn’t happen that all the users identified by the system can access every resource of the system.