RE: [CFCDev] OO Security

[Nando]

One detail i forgot to mention is that when you init() you KeyRing object, you'll want to set all the keys to false by default, and then do your setInstanceFromStruct(). At some point you'll want to add new keys to the KeyRing, and your users may not have updated keyRings yet. That will preserve the integrity of the system, and the admin will only need to "give" the key to the users that need it.

 

In the same token, your setInstanceFromStruct() method should check for the existance of the key before trying to set it, in case it's not on the user's keyRing yet.

 

<cffunction name="setInstanceFromStruct">
  <cfargument name="data" required="true" type="struct" hint="The struct containing the data to set." />
  <cfscript>
 
   if(structKeyExists(data,"publishContent")){
    setPublishContent(data.publishContent);
    }

 

......

 

<http://www.halhelms.com/index.cfm?fuseaction=newsletters.show&issue=052203_rolesBasedSecurity>

 

Of course, this is just a starting point i've mapped out, but once this much is clear, the rest of the elements you need can fall into place around it.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jeff Chastain
Sent: Friday, January 21, 2005 5:50 PM
To: cfcdev@cfczone.org
Subject: RE: [CFCDev] OO Security

Thanks Nando, that makes a lot more sense now.  Any chance you could give me a pointer to the article by Hal that you referenced?  I am going through by back issues of CFDJ and I have not found it yet.

Thanks
-- Jeff

---

From: "Nando" <[EMAIL PROTECTED]>
Sent: Friday, January 21, 2005 10:44 AM
To: cfcdev@cfczone.org
Subject: RE: [CFCDev] OO Security

In it's simpliest form, a keyring could just be a structure, permissionKey. When a user is created or edited, the admin assigns the keys that a user is allowed via a set of radio buttons and that gets converted into a structure.

 

I decided to store a user's keyRing in the DB via WDDX, because it simple and works well. Joe Celko's nested set model might be overkill, at least in the kinds of apps i work on. I can't imagine i'd need more than 10 or 20 keys, one "ring" is enough. Perhaps for other applications, you'd need more of a hierarchy of key rings. I don't know ... i can't think of a practical use for that, but i might not understand the use case. The user interface to admin it would be kinda complex as well.

 

Then when a user logs in, the WDDX'ed keyRing is retrieved from the DB and converted back into a structure. Then from there, you could either simply use the structure in your application,

 

if session.permissionKey.publishContent

 

... publish content stuff here

 

OR go a more OO route, load the permissionKey structure into your KeyRing object (a simple bean with boolean members) via a setInstanceFromStruct() method and use it within your application like so

 

if session.keyRing.getPublishContentKey()

 

... publish content stuff here

 

If you use a KeyRing object, you have a source for your default keys ready to go.

 

Adapt and enhance. Those are the basics i'm working with.

 

ciao,

Nando

 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brian Kotek
Sent: Friday, January 21, 2005 4:18 PM
To: cfcdev@cfczone.org
Subject: RE: [CFCDev] OO Security

Nando, do you happen to have any examples of this that you could post up or email to me? I�ve read Hal�s article but I�d be interested to see a working version of it.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nando
Sent: Friday, January 21, 2005 10:07 AM
To: cfcdev@cfczone.org
Subject: RE: [CFCDev] OO Security

I really like Hal's conceptual model of permissions. He has an article on his site, i believe, that presents it in terms of a set of keys. Whatever their role, users are either given a key or not to use a function in the application.

What that becomes then is a PermissionKey set of boolean values, or a KeyRing. So rather than the abstract concept Security ... KeyRing is a more solid concept to start building an OO model from.

I use this conceptual model and i really like it. Keys can be added or removed very easily from the system. And it's very flexible. A user can be assigned a permission that would out of the ordinary for their role - and as Hal points out in his article, that tends to happen in real life scenarios fairly often.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jeff Chastain
Sent: Friday, January 21, 2005 3:29 PM
To: cfcdev@cfczone.org
Subject: [CFCDev] OO Security

How does one go about build a security framework using an object oriented approach?  The question I am getting at is that 'security' is not an object in the same sense that a user or a document is an object.

So, does a user object have an authenticate method that accepts a username and password?  Something about this does not seem right.

Along the same lines, does a document object have an authorize method that accepts a user or group to determine if they have access?

So, how does one handle security using an object oriented approach?

Thanks

-- Jeff