Section
3.3.1
Top Level
Sub Level
General
Use the coarse grained (e.g., URL) access control mechanism to ensure the user is authorized to access the requested page/function. Audit/Log any access control failures. Note that these access control violations may indicate an attacker trying to forcefully browse to restricted pages, and potentially should be logged/detected as a penetration attempt.
Django
Django's contrib.admin application requires that the user be marked as staff in the database. It also uses the built-in permission system to control what the user can add/edit/delete.
Java
Consider using the J2EE standard approach of using web.xml to define/enforce coarse-grained access control, by mapping roles to particular URL patterns/pages.