One approach would be to use a proprietary programmatic security system. You
would have to check for a (user,company,role) combination for requests that
have security requirements. This may in fact be the best way to handle your
requirements, given that the same HTTP requests (/editCompany.do) will
likely be used for many operations across different companies.
You could "flatten" the company/role space into a single list of roles that
follow some convention. For instance, the "admin" role for the company with
id=1234 could be mapped to the single role named "c1234.admin" or something
like that. Then you could check to see if the current user has that role
when deciding if they should be able to perform some admin action for
company #1234. This approach can be used in conjunction with the
programmatic system I described in the first paragraph. An advantage is that
you can use the standard isUserInRole() call to check for access, but you
will still need some proprietary way to create the role name to check for.
You could always have a utility class with some methods like this:
boolean isUserInRoleForCompany(HttpRequest request, String rolename, Company
company) {
String role = generateCompanyRoleName(company, rolename);
return request.isUserInRole(role);
}
String generateCompanyRoleName(Company company, String rolename) {
return "c" + Integer.toString(company.getId()) + "." + rolename;
}
One potential downside to this flattening, however, is that you may end up
with a huge number of roles. While this, in itself, may not be a big deal,
some containers and realms do things like load every role a user has into
memory as part of their Principal object. If a given user only has a handful
of roles at a handful of companies, this may still not be a big issue. But
it is something to watch out for as you decide on a solution.
If the large number of roles is a problem, you would have to write your own
methods to do the checking. This isn't so bad from the Action programmer's
standpoint, as they would be calling an application-specific method to
determine access anyway (like my isUserInRoleForCompany() example above).
The downside is that you would have to do the db lookup yourself (as the
implementor of these methods), rather than being able to rely on the
isUserInRole() method and your realm implementation to do the lookup for
you.
People have asked about this kind of thing for SecurityFilter before.
Perhaps there is some opportunity to offer some kind of support, but you'd
still have to plug-in a piece of code to dig the company id (or equivalent
information) out of the request. SecurityFilter might allow you to map URLs
to some implementation class that would generate a role name that it would
check for, or perhaps, more flexibly, allow the class to decide if access
should be granted or not directly. This is an interesting area to explore,
but there are no plans for this support now, so it would be a while before
this kind of thing makes it into SecurityFilter. I do like that it separates
security from the implementation of the request handling code (Action, JSP,
etc.), but it is unclear whether it would be worth the added complexity to
me at this point. Your requirements do make this option attractive, though,
and I know others have to do similar things. Any feedback in this area is
welcome (perhaps on the SecurityFilter forum so we don't waste struts-user
bandwidth: http://sourceforge.net/forum/forum.php?forum_id=200424).
-Max
SecurityFilter Dude
----- Original Message -----
From: "Viral_Thakkar" <[EMAIL PROTECTED]>
To: "Struts Users Mailing List" <[EMAIL PROTECTED]>
Sent: Monday, August 04, 2003 9:22 PM
Subject: RE: Best place to hook the Security Call
I have an authorization requirement as below.
1. A user can have a role for a specific company.
2. A user can have many roles for a specific company.
3. A user can have different roles specific to different companies.
It means a user can have few roles for Company (lets say ABC Inc.) and
can have few roles (same or different) for some other Company (lets say
XYZ Inc.)
User Access level changes for each request depending on the role and the
company (company, which exist at that point).
Please help in suggesting the authorization framework I can use for such
requirement.
Can SecurityFilter component help me in implementing this requirement?
If yes, how..??
Thanks..
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
