What to Do
Implement authentication and authorization administration.
Why
The authentication and authorization policies should be configurable to make it possible for the users to adapt the application to their environment.
When
Implement authentication and authorization administration in all web applications that use authentication or authorization.
How
To implement authentication and authorization administration:
-
Identify application requirements. Define options for configuring access control and authentication policies. At the very least, there should be an administration panel for managing user accounts, and a page for users to manage their own accounts.
-
Make authentication and authorization code configurable. Find all code responsible for authentication and authorization features. Modify this code to read settings defined in the application requirements.
-
Design the administrative pages. Design the pages to be used for configuring access contorl and authentication policies based on the requirements for your application.
-
Implement the administration interface. Write code for the administrative pages to interface with authentication and authorization code. The administration interface should be able to read and write settings to a secure location, where the authentication and authorization code may access them. The saved settings should be protected with access controls to prevent unauthorized disclosure and tampering.