Tynamo tapestry-security Instance-Level Access Control?

Thu, 11 Oct 2012 06:39:42 -0700 

Hi,

I need to implement instance-level access control in my application using
tapestry-security.

I already asked similar question here [1].

There Taha suggested to use AuthorityVoter, but that wasn't Tynamo's
tapestry-security.

I looked at Entity-Relationship Based Access Control [2].

This is not exactly what I need, because I don't even have DAO layer
involved here.

Here's what I have. I have business method in one of my services:

    @RequiresPermissions("task:submit")

    void submitTask(Task newTask);

I read about ILAC on Shiro's web site [2].

This looks similar, but in my domain not every user may submit every task
for execution.
I have custom logic that should inspect instance of the newTask and decide
whether current user has permissions to submit the task for execution or
not.

In Shiro's documentation [3] there's a note that tells that a developer may
write its own implementation of AuthorizingRealm.isPermitted(*) to check
permissions against custom domain model. I'm not sure about this in my
case, though, because this note is given in 'Performance Considerations'
section.

One more thing that stops me from overriding AuthorizingRealm.isPermitted(*) is
I don't have access to invocation context, i.e. I can't get instance of the
newTask from example above:

        AuthorizingRealm realm = new AuthorizingRealm()

        {

            @Override

            public boolean isPermitted(PrincipalCollection principals,
Permission permission) {

                //  XXX ... can't access to newTask instance

            }


I was thinking about fixing Tynamo's SecurityInterceptor advise, by putting
MethodInvocation into Tapestry Environment service instance and getting
this MethodInvocation from there in realm.

Am I in the right direction? Any suggestions?



[1]
http://tapestry.1045711.n5.nabble.com/ANN-A-Tapestry5-Based-Security-Module-tp3322452p3338137.html
[2] http://tynamo.org/tapestry-security-jpa+guide
[3]
http://shiro.apache.org/permissions.html#Permissions-InstanceLevelAccessControl
[4]
http://shiro.apache.org/permissions.html#Permissions-PerformanceConsiderations

-- 
Dmitry Gusev

AnjLab Team
http://anjlab.com

Reply via email to