Re: Access Control [was: Digging up a Session object from an EOGenericRecord]
Re: Access Control [was: Digging up a Session object from an EOGenericRecord]
- Subject: Re: Access Control [was: Digging up a Session object from an EOGenericRecord]
- From: Kieran Kelleher <email@hidden>
- Date: Mon, 9 Mar 2009 16:45:20 -0400
Thanks for discussing Chuck.
I am just wondering what others do and looking for ideas and/or
standardization for current and future projects. Meanwhile I found
this useful NIST standards info on various forms of RBAC ....
http://csrc.nist.gov/groups/SNS/rbac/
Cheers, Kieran
On Mar 9, 2009, at 3:22 PM, Chuck Hill wrote:
On Mar 7, 2009, at 3:58 PM, Kieran Kelleher wrote:
I have been using Role Based access control mixed with Privileges
(on/off canViewThis, canEditThat, etc.), but I always get the
feeling there is better ways to do this security stuff .......
anyone care to share their user security strategies in terms of
access to pages, parts of pages and objects in WebObjects apps?
Roles and Privileges are good. I add a SecurityAgent object to
hold all of this for a user and to the arbiter of access requests.
The SecurityAgent gets set in the session when the user is
authenticated. I also use permission names like ViewThis so that I
can form these into bindings like @session.userCanViewThis. This
gets passed to the SecurityAgent via KVC (actually, I use
@userCanViewThis and get the page to pass it off to session). I
also extend this with an optional EO so that after the SecurityAgent
has verified the user has the Privilege, it can then delegate the
final decision to the EO. This is useful where there are groups of
users and you might have ViewThis but only on objects in your group.
Is that the sort of thing you were looking for?
Chuck
On Mar 7, 2009, at 12:48 PM, Mike Schrag wrote:
well, wherever ... awake possibly, or whenever your auth code runs
to check for ACL's at the top of each request.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
--
Chuck Hill Senior Consultant / VP Development
Practical WebObjects - for developers who want to increase their
overall knowledge of WebObjects or who are trying to solve specific
problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden