Hi All,
With the current migration of EMM webapp from UUF v0.1 to v0.2 (jaggery
based implementation) we are trying to standardize the permission check for
UI bits. We need to check permissions for “pages” level as well as granular
to the “units” level. For example; show/hide a button based on UI
permission. Also should notice that these permissions are not unique to the
front-end, thus can be directly mapped into the respective back-end osgi
services. For example; device enroll permission will be checked on the
enrollment page(front-end), as well as the inside the respective enrollment
osgi service(back-end).
And also there’s a requirement that any third-party application should be
able to write their own UI based on our web apis. Hence we are expecting to
expose isAuthorized() via JAX-RS too. SOAP clients will be able to directly
call admin-service.
[image: Inline image 1]
As per the diagram, when a EMM web app receives a page render request from
the browser, UUF will execute the the method isAuthorized() at the back-end
JavaScript layer. JavaScript will include the “carbon” jaggery module which
will import the RealmService OSGi service. Using RealmService we can invoke
the Authorizer.isRoleAuthorized().
Whenever, third-party application requests for a permission check via
EMM-API(JAX-RS), final result should be given invoking same
Authorizer.isRoleAuthorized() method.
One concern on this design was how to improve the *performance* of OSGi
calls per permission check. One such suggestion is to retrieve all
permissions for the current user and persist it on the “session”. IMO this
would results some unforeseen issues and permission update on the backend
will not immediately applied on the already logged users(eg. longer session
timeouts). For example: users will still see the action buttons when
clicked on it, it will return permission error. On the other hand, managing
caching coherency is an extra effort for this approach. My suggestion is to
utilize the permission check cache(if exists) at the user-core level which
would be consistent across the platform.
WDYT?
@DS/UUF Team: I hope we need the similar permission check feature with the
{{permission}} handlebar helper.
--
With Regards,
*Rasika Perera*
Software Engineer
LinkedIn: http://lk.linkedin.com/in/rasika90
[image: wso2-signature-general.png] <https://wso2.com/signature>
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
