RE: [CFCDev] OO Security

[Nando]

In it's simpliest form, a keyring could just be a structure, permissionKey. When a user is created or edited, the admin assigns the keys that a user is allowed via a set of radio buttons and that gets converted into a structure.   I decided to store a user's keyRing in the DB via WDDX, because it simple and works well. Joe Celko's nested set model might be overkill, at least in the kinds of apps i work on. I can't imagine i'd need more than 10 or 20 keys, one "ring" is enough. Perhaps for other applications, you'd need more of a hierarchy of key rings. I don't know ... i can't think of a practical use for that, but i might not understand the use case. The user interface to admin it would be kinda complex as well.   Then when a user logs in, the WDDX'ed keyRing is retrieved from the DB and converted back into a structure. Then from there, you could either simply use the structure in your application,   if session.permissionKey.publishContent   ... publish content stuff here   OR go a more OO route, load the permissionKey structure into your KeyRing object (a simple bean with boolean members) via a setInstanceFromStruct() method and use it within your application like so   if session.keyRing.getPublishContentKey()   ... publish content stuff here   If you use a KeyRing object, you have a source for your default keys ready to go.   Adapt and enhance. Those are the basics i'm working with.   ciao, Nando   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brian Kotek Sent: Friday, January 21, 2005 4:18 PM To: cfcdev@cfczone.org Subject: RE: [CFCDev] OO Security Nando, do you happen to have any examples of this that you could post up or email to me? I’ve read Hal’s article but I’d be interested to see a working version of it.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nando Sent: Friday, January 21, 2005 10:07 AM To: cfcdev@cfczone.org Subject: RE: [CFCDev] OO Security   I really like Hal's conceptual model of permissions. He has an article on his site, i believe, that presents it in terms of a set of keys. Whatever their role, users are either given a key or not to use a function in the application.   What that becomes then is a PermissionKey set of boolean values, or a KeyRing. So rather than the abstract concept Security ... KeyRing is a more solid concept to start building an OO model from.   I use this conceptual model and i really like it. Keys can be added or removed very easily from the system. And it's very flexible. A user can be assigned a permission that would out of the ordinary for their role - and as Hal points out in his article, that tends to happen in real life scenarios fairly often. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jeff Chastain Sent: Friday, January 21, 2005 3:29 PM To: cfcdev@cfczone.org Subject: [CFCDev] OO Security How does one go about build a security framework using an object oriented approach?  The question I am getting at is that 'security' is not an object in the same sense that a user or a document is an object.   So, does a user object have an authenticate method that accepts a username and password?  Something about this does not seem right.   Along the same lines, does a document object have an authorize method that accepts a user or group to determine if they have access?   So, how does one handle security using an object oriented approach?   Thanks -- Jeff