Re: [Acegisecurity-developer] Instance security
App Fuse mailing list wrote: ok, so the term voter is specific to Acegisecurity etc, and not a wider used term in Spring, IOC, AOP etc. that I have missed? I'll look at the code and see what I understand :-) Thanks Justin Justin, net.sf.acegisecurity.vote.RoleVoter is an Acegi Security-specific interface. It's actually called by one of the Based classes in the same package, which tally the votes using different rules (eg AffirmativeBased, UnanimousBased etc). The Based classes (or another implementation of AccessDecisionManager) is called by a MethodSecurityInterceptor or a FilterSecurityInterceptor (or indeed any subclass of AbstractSecurityInterceptor). The RoleVoter is the typical way of implementing custom authorization decisions. Although people are also free to write their own AccessDecisionManager and do something else entirely. The net.sf.acegisecurity.acl.basic package is typically tied in via a RoleVoter. If you want to perform instance-based security on a method invocation, you'd typically write a custom RoleVoter which consults the AclManager to lookup the instance's access control list. Alternatively, your business method itself or your own ACL interceptor can call the AclManager to lookup the access control list. The ACL package merely returns the effective ACLs. Your application still needs to know what the ACLs mean and how to respond. Typically you'll throw an AccessDeniedException if an unauthorized operation is requested, but people are equally free to null out values in the returned object, roll back a transaction, log the event or some other behavior. HTH Ben --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance security
ok, so the term voter is specific to Acegisecurity etc, and not a wider used term in Spring, IOC, AOP etc. that I have missed? I'll look at the code and see what I understand :-) Thanks Justin On Sep 24, 2004, at 5:37 PM, March, Andres wrote: A voter is defined in the documentation. Don't know if you are asking what one is or how I applied it. The voter is registered with an interceptor that is applied to my business methods. So anywhere I want to secure objects involved in a business method I register the interceptor on them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of App Fuse mailing list Sent: Friday, September 24, 2004 9:30 AM To: [EMAIL PROTECTED] Subject: Re: [Acegisecurity-developer] Instance security What does "voter" apply to in these case? Thanks Justin The only other thing that I added which I find extremely valuable is a voter for ACL security. The ACL package does not include this but I find it is the best manner in which to check access on an instance. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] Instance security
A voter is defined in the documentation. Don't know if you are asking what one is or how I applied it. The voter is registered with an interceptor that is applied to my business methods. So anywhere I want to secure objects involved in a business method I register the interceptor on them. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > App Fuse mailing list > Sent: Friday, September 24, 2004 9:30 AM > To: [EMAIL PROTECTED] > Subject: Re: [Acegisecurity-developer] Instance security > > What does "voter" apply to in these case? > > Thanks Justin > > > The only other thing that I added which I find extremely valuable is a > > voter for ACL security. The ACL package does not include this but I > > find it is the best manner in which to check access on an instance. > > > > --- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php > ___ > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance security
What does "voter" apply to in these case? Thanks Justin The only other thing that I added which I find extremely valuable is a voter for ACL security. The ACL package does not include this but I find it is the best manner in which to check access on an instance. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
RE: [Acegisecurity-developer] Instance security
Everything in the acl package is specifically for this purpose. It is fairly well documented but the best way to learn is to look at the test cases. I am using the ACL stuff for instance based security but have a different data model, so I wrote my own DAO to return ACL entries. I really like the way it is architected and, for simple implementations, I think it needs no customization. The only other thing that I added which I find extremely valuable is a voter for ACL security. The ACL package does not include this but I find it is the best manner in which to check access on an instance. > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > App Fuse mailing list > Sent: Friday, September 24, 2004 5:53 AM > To: [EMAIL PROTECTED] > Subject: [Acegisecurity-developer] Instance security > > hi all, > > I'm just starting to learn about acegisecurity. I've been looking at > the archive and was just wondering what the current status of: > > Instance security in .61 > Documentation on the above. > Example applications/code using above. > > newbie :-) > > Thanks !!! > > > > --- > This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 > Project Admins to receive an Apple iPod Mini FREE for your judgement on > who ports your project to Linux PPC the best. Sponsored by IBM. > Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php > ___ > Acegisecurity-developer mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance security
On Fri, 24 Sep 2004 09:40:48 -0500, Scott McCrory wrote > The best example I've seen > on this is (although embedded in the service code) the > ContactManagerFacade.java code in Acegi's samples. Actually I mistated this - it's NOT embedded in ContactManagerFacade's service code since it fronts a "backend" ContactManager. Sorry! Scott --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
Re: [Acegisecurity-developer] Instance security
On Fri, 24 Sep 2004 13:53:12 +0100, App Fuse mailing list wrote > hi all, > > I'm just starting to learn about acegisecurity. I've been looking > at the archive and was just wondering what the current status of: > > Instance security in .61 > Documentation on the above. > Example applications/code using above. Since instance security is specific to the objects you're protecting and the kinds of checks you do inside of (or right "above") your service methods, ultimately you'll have to write this yourself. That said, the underlying support is there, although the docs don't cover it much (I'll be glad to help in that regard). Maybe if I share how I'm approaching the problem you can glean something from it. Note that I've only implemented 25% of the ideas below, so if you or anyone sees a better way, please let me know. ;-) My application's security can be organized as protecting 3 things - 1) the visibility of GUI elements like links, buttons, columns, tabs, 2) the visibility of database records and 3) the access to my service methods. I'll protect #1 using the authz JSP tag and mapping role sets to visual elements (I still like the term entitlements better, but that's just me). I'll protect #2 by including the user's identity in formulating DB queries, and I'll protect the service methods by including declarative security and those same roles mentioned above, as well a programmatically using the user's identity and the object's identity to determine if they can update or delete the thing. This could be done inside of the service methods themselves, but I'm leaning towards putting these checks in a service facade just "above" to keep the services clean. The best example I've seen on this is (although embedded in the service code) the ContactManagerFacade.java code in Acegi's samples. Take a look at the getById(int) method for more info. HTH, Scott --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
