On the first cut this looks like authentication/authorization for Spring framework. Do I need to get struts co-exist with spring for this to work ? And how much of an effort would that be? But yes.. this looks quite a powerful and neat concept. Thanks for refering it. Regards, Raghu
On 11/20/05, Laurie Harper <[EMAIL PROTECTED]> wrote: > > Take a look at the Acegi Security project. It provides *extremely* > powerful declarative security capabilities, upto and including filtering > database query results to exclude things the current user shouldn't be > able to see. It might be exactly what you're looking for. > > L. > > Raghu Kanchustambham wrote: > > Hi, > > I could successfully place my authentication scheme in place using the > > article at > > http://www.jroller.com/comments/tomdz?anchor=using_jaas_with_struts_a > > I also could place "resource" level authorization in place. However the > > definition of resource is the "traditional" action mapping. However I > have a > > requirement which goes beyond that. I have a centre based roles. Let us > say > > my application could be used by administrators at three centres. The > trick > > is that all of them can view the set of "resources"... but in a > particular > > JSP they are authorized to use only certain values for some of the > fields. > > For example, a Hyderabad administrator can view reports pertaining to > > Hyderabad only and should not be allowed to see reports of Bangalore > centre. > > Which let us say in UI terms would translate to a dropdown of cities .. > for > > the Bangalore administrator... he probably can see the dropdown populate > > with Bangalore... the Hyderabad admin sees it populated only with > Hyderabad > > and a HeadOffice admin sees all the cities in the cities dropdown. > > What is the best way to achieve this? > > One approach is to create a separate role for each centre user. For > > example... have a role called Bangalore_Admin and Hyderabad_Admin etc. > But > > obvious drawback is that this approach won't scale well with the > increase in > > the number of centres. > > The other approach I was thinking is writing code myself. Introduce a > > column for centre in the user table. From the > > request.getUserPrincipal().getName() > > funcion I determine the user... hit the database to determine the centre > and > > then filter the cities based on the city and the role. > > I don't like this approach because I have lost the advantages of a > > declarative style of defining security permissions. Also, now my > > authorization code would be mixed allover and would be difficult to > change > > the authorization policies on a later date. > > The third approach is similar to the second one. Instead of defining a > > centre at the user level, I could do it at the user_role mapping level. > > User1 is the administrator of Hyderabad centre. He could be a regular > user > > for another centre (say Bangalore). Slightly better than second approach > but > > suffers from similar problems. > > Is there a way that my getUserPrincipal() can be made to give me this > extra > > piece of information about the centre? That would make my code look lot > > cleaner. I dont have to hit back the database just to find the centre. > > Please comment. > > Thanks much. > > Regards, > > Raghu > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
