Finegrained access control
How do you implement fine-grained access control? For a project I need to implement a fine-grained access control. My idea is to let a JDBC-Realm handle the login and to implement the fine-grained access-control where the role may vary for the specific users and the pages they look at. This I would implement in RequestProcessor.processActionPerform(...) where I check the users role for the specific page and based on that get the respons taylored for that role and check whether they may do what they intend. Example: Some users may edit a page. Who that may edit the page varies over time. The users role on the page is set per page. As far as I understand Realm only checks whether the user may use a specific method (action). No finegrained access-control is possible. I'm surely not the first to do something like this. So please enlighten me with ideas on how you'd implement this. Morten Andersen Denmark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
Morten Andersen wrote: This I would implement in RequestProcessor.processActionPerform(...) where I check the users role for the specific page and based on that get the respons taylored for that role and check whether they may do what they intend. RequestProcessor.processRoles? Example: Some users may edit a page. Who that may edit the page varies over time. The users role on the page is set per page. As far as I understand Realm only checks whether the user may use a specific method (action). No finegrained access-control is possible. How fine-grained do you want it? If the Realm stuff allows method-level access that seems finer-grain than URL, but I think I'm just not completely understanding your question. If you want _fine_-grained access control drop Spring on top of Struts and use Acegi. Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
Dave Newton skrev: Morten Andersen wrote: This I would implement in RequestProcessor.processActionPerform(...) where I check the users role for the specific page and based on that get the respons taylored for that role and check whether they may do what they intend. RequestProcessor.processRoles? The role thing should be used for 2 things: * Access control. May the user submit or view a page? * View control. The role decides what the user sees. Example: Some users may edit a page. Who that may edit the page varies over time. The users role on the page is set per page. As far as I understand Realm only checks whether the user may use a specific method (action). No finegrained access-control is possible. How fine-grained do you want it? If the Realm stuff allows method-level access that seems finer-grain than URL, but I think I'm just not completely understanding your question. In the web.xml I can set some security constraints for URL patterns. I basically want to use some request parameters to determine the role. If you want _fine_-grained access control drop Spring on top of Struts and use Acegi. I'll look into that. Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
Dave Newton wrote: If you want _fine_-grained access control drop Spring on top of Struts and use Acegi. For us not wanting to put yet another framework into the table, any advice and pointers from more experienced people out there? My usual requirement is operation rights for roles in groups (due to resources belonging to groups) and i am currently trying to fit JAAS into the picture and take advantage of doclet etc, but i still havent even scratched the surface on this one. Manos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
On 2/28/06, Emmanouil Batsis [EMAIL PROTECTED] wrote: Dave Newton wrote: If you want _fine_-grained access control drop Spring on top of Struts and use Acegi. For us not wanting to put yet another framework into the table, any advice and pointers from more experienced people out there? My usual requirement is operation rights for roles in groups (due to resources belonging to groups) and i am currently trying to fit JAAS into the picture and take advantage of doclet etc, but i still havent even scratched the surface on this one. JAAS can be complex Sounds like the problem is do to with realm configuration and how to use the servlet spec security model.. A JDBC or DataSource realm will fit most requirements, rather than getting bogged down in Jaas. http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html Once the context is configured you need to tell your webapp what to do in web.xml.. security-constraint display-nameAccess control/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/*/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-nameuser/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method realm-namemyrealm/realm-name form-login-config form-login-page/login.html/form-login-page form-error-page/loginError.html/form-error-page /form-login-config /login-config security-role role-nameuser/role-name /security-role The fields in your html form must follow the spec (action, and field names) to work with the realm stuff. form action=j_security_check method=POST input type=text name=j_username / input type=text name=j_password / /form Mark Manos - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
Mark Lowe skrev: On 2/28/06, Emmanouil Batsis [EMAIL PROTECTED] wrote: Dave Newton wrote: If you want _fine_-grained access control drop Spring on top of Struts and use Acegi. For us not wanting to put yet another framework into the table, any advice and pointers from more experienced people out there? My usual requirement is operation rights for roles in groups (due to resources belonging to groups) and i am currently trying to fit JAAS into the picture and take advantage of doclet etc, but i still havent even scratched the surface on this one. JAAS can be complex Sounds like the problem is do to with realm configuration and how to use the servlet spec security model.. A JDBC or DataSource realm will fit most requirements, rather than getting bogged down in Jaas. http://tomcat.apache.org/tomcat-5.0-doc/realm-howto.html OK. I'm currently using Realm almost like suggested by Mark. The only exception is that I only let some of the actions be under security. In practice this means that I can show something (like a website) for people that are not logged in while only showing the editor-buttons to people that are logged in. Now if I can determine whether the user has logged in. How can I use the request parameters to determine the users role on specific pages? I know that I can invent my own control, it just seems like something many others would need. Any tools available? Morten - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
Morten Andersen wrote: Now if I can determine whether the user has logged in. How can I use the request parameters to determine the users role on specific pages? I know that I can invent my own control, it just seems like something many others would need. Any tools available? I still don't get this: why would you want request parameters to have anything to do with determining security/access levels? That seems really dangerous. Are you talking about adding request _attributes_ to determine view issues? Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
On 2/28/06, Dave Newton [EMAIL PROTECTED] wrote: Morten Andersen wrote: Now if I can determine whether the user has logged in. How can I use the request parameters to determine the users role on specific pages? I know that I can invent my own control, it just seems like something many others would need. Any tools available? You'll know the user is logged in otherwise s/he can only see the login page. When you login to a realm, non matter what you're using to login (jaas module, jdbc/datasource realm auth, ldap) whatever, the authenticator has to but a security principal in the user's session that must be accessible by request.getUserPrincipal() also request.isUserInRole() (or some jazz llike that). First make sure you login is all working and then in you welcome page do something like %= request.getUserPrincipal() % if it works it should give you a toString representation of a class that implements principal.. In tomcat its something like GenericUserPrincipal.. Assuming you;ve used a jbdc or datasource realm and the query works etc and so on the Principal has the roles listed from the relevant query.. Get this far and you're done, you can use finer grained control (which roles can do which actions in struts config). action path=/foo roles=manager,slave .. Mark I still don't get this: why would you want request parameters to have anything to do with determining security/access levels? That seems really dangerous. Are you talking about adding request _attributes_ to determine view issues? Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Finegrained access control
Dave Newton skrev: Morten Andersen wrote: Now if I can determine whether the user has logged in. How can I use the request parameters to determine the users role on specific pages? I know that I can invent my own control, it just seems like something many others would need. Any tools available? I still don't get this: why would you want request parameters to have anything to do with determining security/access levels? That seems really dangerous. Here's an example: The user: Peter may edit the page Home. On all other pages he just sees the page but on Home an extra button is added: Edit this page. Then when Peter presses that button he is brought to the editing page. There he can edit the page but only if his role is really editor on that page. Not all users may use an action on all pages. I use Realm to figure out whether the user has logged in by putting the action that brings the user to the editing page under security restriction, but it just doesn't handle the handle the finer-grained access control where I can match a page and a user to check the users role on that specific page. Why is this dangerous? How can I avoid these dangers? Morten Are you talking about adding request _attributes_ to determine view issues? Dave - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]