Re: object based security (owner)
On Tue, Mar 18, 2014 at 10:02 AM, Dmitriy Vsekhvalnov < dvsekhval...@gmail.com> wrote: > Kalle, do you mean it works only for traversing object graph? (sorry i > probably have to check myself before asking stupid questions). > Yes. It checks that a security principal of the currently executing subject matches with the id of the configured association (e.g. "owner") of the entity that's being operated on. Kalle > On Tue, Mar 18, 2014 at 8:31 PM, Kalle Korhonen > wrote: > > > On Tue, Mar 18, 2014 at 7:43 AM, Dmitriy Vsekhvalnov < > > dvsekhval...@gmail.com > > > wrote: > > > > > is tapestry-security-jpa provides filtering data support? E.g. when i > > > execute .list() operation with query can it apply filter based on owner > > or > > > other rule? > > > like Hibernate filters? > > > > > > > No, this is meant strictly for securing data instances based on their > > association with the currently executing subject. There's no concept for > > filtering and there's no need to explicitly apply a filter based on > owner. > > > > Kalle > > > > > > > > > On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua > > wrote: > > > > > > > Thanks Kalle, thats the answer I was seeking. > > > > > > > > Which persistence Service wold in order to ORM o MySQL ? > > > > > > > > Does that JPA construct do it itself somehow like javabeans or can I > > use > > > > the existing hibernate persistence service that comes with your > suite ? > > > > > > > > Thanks for the solution, appreciate that. > > > > Ken > > > > > > > > > >
Re: object based security (owner)
Kalle, do you mean it works only for traversing object graph? (sorry i probably have to check myself before asking stupid questions). On Tue, Mar 18, 2014 at 8:31 PM, Kalle Korhonen wrote: > On Tue, Mar 18, 2014 at 7:43 AM, Dmitriy Vsekhvalnov < > dvsekhval...@gmail.com > > wrote: > > > is tapestry-security-jpa provides filtering data support? E.g. when i > > execute .list() operation with query can it apply filter based on owner > or > > other rule? > > like Hibernate filters? > > > > No, this is meant strictly for securing data instances based on their > association with the currently executing subject. There's no concept for > filtering and there's no need to explicitly apply a filter based on owner. > > Kalle > > > > > On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua > wrote: > > > > > Thanks Kalle, thats the answer I was seeking. > > > > > > Which persistence Service wold in order to ORM o MySQL ? > > > > > > Does that JPA construct do it itself somehow like javabeans or can I > use > > > the existing hibernate persistence service that comes with your suite ? > > > > > > Thanks for the solution, appreciate that. > > > Ken > > > > > >
Re: object based security (owner)
On Tue, Mar 18, 2014 at 7:43 AM, Dmitriy Vsekhvalnov wrote: > is tapestry-security-jpa provides filtering data support? E.g. when i > execute .list() operation with query can it apply filter based on owner or > other rule? > like Hibernate filters? > No, this is meant strictly for securing data instances based on their association with the currently executing subject. There's no concept for filtering and there's no need to explicitly apply a filter based on owner. Kalle > On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua wrote: > > > Thanks Kalle, thats the answer I was seeking. > > > > Which persistence Service wold in order to ORM o MySQL ? > > > > Does that JPA construct do it itself somehow like javabeans or can I use > > the existing hibernate persistence service that comes with your suite ? > > > > Thanks for the solution, appreciate that. > > Ken > > >
Re: object based security (owner)
On Tue, Mar 18, 2014 at 6:08 AM, Ken in Nashua wrote: > Thanks Kalle, thats the answer I was seeking. > Which persistence Service wold in order to ORM o MySQL ? > Does that JPA construct do it itself somehow like javabeans or can I use > the existing hibernate persistence service that comes with your suite ? > > I've explained this in the guide, but it works with JPA only and is a facade for EntityManager. Kalle
Re: object based security (owner)
is tapestry-security-jpa provides filtering data support? E.g. when i execute .list() operation with query can it apply filter based on owner or other rule? like Hibernate filters? On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua wrote: > Thanks Kalle, thats the answer I was seeking. > > Which persistence Service wold in order to ORM o MySQL ? > > Does that JPA construct do it itself somehow like javabeans or can I use > the existing hibernate persistence service that comes with your suite ? > > Thanks for the solution, appreciate that. > Ken >
RE: object based security (owner)
Thanks Kalle, thats the answer I was seeking. Which persistence Service wold in order to ORM o MySQL ? Does that JPA construct do it itself somehow like javabeans or can I use the existing hibernate persistence service that comes with your suite ? Thanks for the solution, appreciate that. Ken
Re: object based security (owner)
Very nice. On 16/03/2014, at 3:00 AM, Kalle Korhonen wrote: > There's also http://tynamo.org/tapestry-security-jpa+guide that has > annotations and works at the entity level - it's JPA only at the moment. > > Kalle > - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
Re: object based security (owner)
Oops, I said "The service can return a really nasty error if it fails - there's no need to be nice because the user should not be in that situation unless they've hacked the URL." What I should have said is that if the user does not even have read rights to the requested item then the service can return nothing, acting as if the requested item does not exist. On 15/03/2014, at 11:22 PM, Geoff Callender wrote: > In my world this distinction is often referred to as "data rights" vs. > "function rights". > > Function rights can indeed be handled by restricting access to pages and > components with annotations and sometimes a bit of conditional logic in the > template. It's up to you whether you check function rights in the business > tier too. > > Data rights however are tricky. You have to check every request and be very > careful what's in every response, particularly list responses. However, in my > experience the range of checks needed to determine whether a user has the > data rights for a given request is usually very small. Eg. you get the user > from the session and decide: > > - Does the thing being requested belong to them? > - Or more usually, are they in the department that owns what's being > requested? > - Can the user update things in their department or only read them? > > In the web tier you could create a Tapestry service, say DataRightsChecker, > inject it when it's needed, and have a method for each of the likely checks. > In most web requests you'll probably find that you need to call only one or > two methods and you're done. The service can return a really nasty error if > it fails - there's no need to be nice because the user should not be in that > situation unless they've hacked the URL. Ensure that normal site behaviour > never takes them into a situation where they lack the function or data rights. > > Again, it's up to you whether you check data rights in the business tier too. > It's also up to you whether you go the whole hog and set up data rights in > the database itself. > > > On 15 March 2014 21:36, Boris Horvat wrote: > I could be missing something, but isn't this a database question? how to > model your tables and relationships between them? > > I dont see this as being tapestry related question to be honest > > > On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein > wrote: > > > Hi Ken! > > > > this sounds more like a "persistence" question, to be honest. How do you > > store / persist the user data? > > > > > > Jens > > > > > > Am 15.03.14 06:44, schrieb Ken in Nashua: > > > >> Hi Folks, > >> > >> I want to create a web site data model whereby... whatever a user > >> creates... they own. > >> > >> And when they come back to the website to operate again... they will see > >> only what they own. > >> > >> Its not as much as page based security as it is object based security... > >> as in model object. > >> > >> Are there annotations available or mechanisms within tapestry-security to > >> perform this in one hit so I can just put it at the top of my class (an > >> annotation) or page and operate only on what the owner created ? > >> > >> Thanks > >> > >> > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > For additional commands, e-mail: users-h...@tapestry.apache.org > > > > > > > -- > Sincerely > *Boris Horvat* >
Re: object based security (owner)
There's also http://tynamo.org/tapestry-security-jpa+guide that has annotations and works at the entity level - it's JPA only at the moment. Kalle On Sat, Mar 15, 2014 at 5:22 AM, Geoff Callender < geoff.callender.jumpst...@gmail.com> wrote: > In my world this distinction is often referred to as "data rights" vs. > "function rights". > > Function rights can indeed be handled by restricting access to pages and > components with annotations and sometimes a bit of conditional logic in the > template. It's up to you whether you check function rights in the business > tier too. > > Data rights however are tricky. You have to check every request and be very > careful what's in every response, particularly list responses. However, in > my experience the range of checks needed to determine whether a user has > the data rights for a given request is usually very small. Eg. you get the > user from the session and decide: > > - Does the thing being requested belong to them? > - Or more usually, are they in the department that owns what's being > requested? > - Can the user update things in their department or only read them? > > In the web tier you could create a Tapestry service, say DataRightsChecker, > inject it when it's needed, and have a method for each of the likely > checks. In most web requests you'll probably find that you need to call > only one or two methods and you're done. The service can return a really > nasty error if it fails - there's no need to be nice because the user > should not be in that situation unless they've hacked the URL. Ensure that > normal site behaviour never takes them into a situation where they lack the > function or data rights. > > Again, it's up to you whether you check data rights in the business tier > too. It's also up to you whether you go the whole hog and set up data > rights in the database itself. > > > On 15 March 2014 21:36, Boris Horvat wrote: > > > I could be missing something, but isn't this a database question? how to > > model your tables and relationships between them? > > > > I dont see this as being tapestry related question to be honest > > > > > > On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein < > mailingl...@j-b-s.de > > >wrote: > > > > > Hi Ken! > > > > > > this sounds more like a "persistence" question, to be honest. How do > you > > > store / persist the user data? > > > > > > > > > Jens > > > > > > > > > Am 15.03.14 06:44, schrieb Ken in Nashua: > > > > > >> Hi Folks, > > >> > > >> I want to create a web site data model whereby... whatever a user > > >> creates... they own. > > >> > > >> And when they come back to the website to operate again... they will > see > > >> only what they own. > > >> > > >> Its not as much as page based security as it is object based > security... > > >> as in model object. > > >> > > >> Are there annotations available or mechanisms within tapestry-security > > to > > >> perform this in one hit so I can just put it at the top of my class > (an > > >> annotation) or page and operate only on what the owner created ? > > >> > > >> Thanks > > >> > > >> > > > > > > > > > - > > > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > > For additional commands, e-mail: users-h...@tapestry.apache.org > > > > > > > > > > > > -- > > Sincerely > > *Boris Horvat* > > >
Re: object based security (owner)
In my world this distinction is often referred to as "data rights" vs. "function rights". Function rights can indeed be handled by restricting access to pages and components with annotations and sometimes a bit of conditional logic in the template. It's up to you whether you check function rights in the business tier too. Data rights however are tricky. You have to check every request and be very careful what's in every response, particularly list responses. However, in my experience the range of checks needed to determine whether a user has the data rights for a given request is usually very small. Eg. you get the user from the session and decide: - Does the thing being requested belong to them? - Or more usually, are they in the department that owns what's being requested? - Can the user update things in their department or only read them? In the web tier you could create a Tapestry service, say DataRightsChecker, inject it when it's needed, and have a method for each of the likely checks. In most web requests you'll probably find that you need to call only one or two methods and you're done. The service can return a really nasty error if it fails - there's no need to be nice because the user should not be in that situation unless they've hacked the URL. Ensure that normal site behaviour never takes them into a situation where they lack the function or data rights. Again, it's up to you whether you check data rights in the business tier too. It's also up to you whether you go the whole hog and set up data rights in the database itself. On 15 March 2014 21:36, Boris Horvat wrote: > I could be missing something, but isn't this a database question? how to > model your tables and relationships between them? > > I dont see this as being tapestry related question to be honest > > > On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein >wrote: > > > Hi Ken! > > > > this sounds more like a "persistence" question, to be honest. How do you > > store / persist the user data? > > > > > > Jens > > > > > > Am 15.03.14 06:44, schrieb Ken in Nashua: > > > >> Hi Folks, > >> > >> I want to create a web site data model whereby... whatever a user > >> creates... they own. > >> > >> And when they come back to the website to operate again... they will see > >> only what they own. > >> > >> Its not as much as page based security as it is object based security... > >> as in model object. > >> > >> Are there annotations available or mechanisms within tapestry-security > to > >> perform this in one hit so I can just put it at the top of my class (an > >> annotation) or page and operate only on what the owner created ? > >> > >> Thanks > >> > >> > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > For additional commands, e-mail: users-h...@tapestry.apache.org > > > > > > > -- > Sincerely > *Boris Horvat* >
Re: object based security (owner)
Boris, you're not missing anything. 10% of what Ken posts to the tapestry mailing list is related to tapestry... The other 90% is off topic :)
Re: object based security (owner)
I could be missing something, but isn't this a database question? how to model your tables and relationships between them? I dont see this as being tapestry related question to be honest On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein wrote: > Hi Ken! > > this sounds more like a "persistence" question, to be honest. How do you > store / persist the user data? > > > Jens > > > Am 15.03.14 06:44, schrieb Ken in Nashua: > >> Hi Folks, >> >> I want to create a web site data model whereby... whatever a user >> creates... they own. >> >> And when they come back to the website to operate again... they will see >> only what they own. >> >> Its not as much as page based security as it is object based security... >> as in model object. >> >> Are there annotations available or mechanisms within tapestry-security to >> perform this in one hit so I can just put it at the top of my class (an >> annotation) or page and operate only on what the owner created ? >> >> Thanks >> >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Sincerely *Boris Horvat*
Re: object based security (owner)
Hi Ken! this sounds more like a "persistence" question, to be honest. How do you store / persist the user data? Jens Am 15.03.14 06:44, schrieb Ken in Nashua: Hi Folks, I want to create a web site data model whereby... whatever a user creates... they own. And when they come back to the website to operate again... they will see only what they own. Its not as much as page based security as it is object based security... as in model object. Are there annotations available or mechanisms within tapestry-security to perform this in one hit so I can just put it at the top of my class (an annotation) or page and operate only on what the owner created ? Thanks - To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org For additional commands, e-mail: users-h...@tapestry.apache.org
object based security (owner)
Hi Folks, I want to create a web site data model whereby... whatever a user creates... they own. And when they come back to the website to operate again... they will see only what they own. Its not as much as page based security as it is object based security... as in model object. Are there annotations available or mechanisms within tapestry-security to perform this in one hit so I can just put it at the top of my class (an annotation) or page and operate only on what the owner created ? Thanks