Hi Raghu, Laurie,
I did a project recently which used the Acegi security project which
comes bundled with Spring, and although I was never involved in the
implementation of it myself, I heard that it was effective.
Am I correct in assuming though that it does not offer the alternative
that Raghu was looking for, despite the fact that he(you) seems very
positive about it?
I can't see how such a security requirement can be implemented in any
other way than via the database. It is simply a question of data
visibility, in other words, who the data is visible to and to whom it is
not visible. The best you can do as far as I can see is to optimise the
caching, especially if the relationships are relatively stable.
Or is this perhaps a pattern that I am not aware of?
Adam
Raghu Kanchustambham on 20/11/05 16:50, wrote:
On the first cut this looks like authentication/authorization for Spring
framework. Do I need to get struts co-exist with spring for this to work ?
And how much of an effort would that be?
But yes.. this looks quite a powerful and neat concept.
Thanks for refering it.
Regards,
Raghu
On 11/20/05, Laurie Harper <[EMAIL PROTECTED]> wrote:
Take a look at the Acegi Security project. It provides *extremely*
powerful declarative security capabilities, upto and including filtering
database query results to exclude things the current user shouldn't be
able to see. It might be exactly what you're looking for.
L.
Raghu Kanchustambham wrote:
Hi,
I could successfully place my authentication scheme in place using the
article at
http://www.jroller.com/comments/tomdz?anchor=using_jaas_with_struts_a
I also could place "resource" level authorization in place. However the
definition of resource is the "traditional" action mapping. However I
have a
requirement which goes beyond that. I have a centre based roles. Let us
say
my application could be used by administrators at three centres. The
trick
is that all of them can view the set of "resources"... but in a
particular
JSP they are authorized to use only certain values for some of the
fields.
For example, a Hyderabad administrator can view reports pertaining to
Hyderabad only and should not be allowed to see reports of Bangalore
centre.
Which let us say in UI terms would translate to a dropdown of cities ..
for
the Bangalore administrator... he probably can see the dropdown populate
with Bangalore... the Hyderabad admin sees it populated only with
Hyderabad
and a HeadOffice admin sees all the cities in the cities dropdown.
What is the best way to achieve this?
One approach is to create a separate role for each centre user. For
example... have a role called Bangalore_Admin and Hyderabad_Admin etc.
But
obvious drawback is that this approach won't scale well with the
increase in
the number of centres.
The other approach I was thinking is writing code myself. Introduce a
column for centre in the user table. From the
request.getUserPrincipal().getName()
funcion I determine the user... hit the database to determine the centre
and
then filter the cities based on the city and the role.
I don't like this approach because I have lost the advantages of a
declarative style of defining security permissions. Also, now my
authorization code would be mixed allover and would be difficult to
change
the authorization policies on a later date.
The third approach is similar to the second one. Instead of defining a
centre at the user level, I could do it at the user_role mapping level.
User1 is the administrator of Hyderabad centre. He could be a regular
user
for another centre (say Bangalore). Slightly better than second approach
but
suffers from similar problems.
Is there a way that my getUserPrincipal() can be made to give me this
extra
piece of information about the centre? That would make my code look lot
cleaner. I dont have to hit back the database just to find the centre.
Please comment.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
