incubator-photark-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luciano Resende <luckbr1...@gmail.com>
Subject Re: Photark Authorization using Role Based Access Control
Date Fri, 25 Jun 2010 05:32:18 GMT
On Thu, Jun 24, 2010 at 9:45 PM, Suhothayan Sriskandarajah
<suhothayan@gmail.com> wrote:
> On 25 June 2010 09:45, Avdhesh Yadav <avd@avdheshyadav.com> wrote:
>> Roles and Permissions can be stored in the JCR repository and configured
>> from the Admin UI.From Admin UI we can define/delete/edit permissions ,
>> roles and assign permissions to roles.
>>
>>

Java EE has the notion of Roles, does it make sense to look into using
that instead of a home grown solutions ?

>
> Super admin Role, Registered user Role, Unregistered user Role,
> Blocked user Role
> are hard coded

See comments above.

> Super admin Role will have all possible rights..
> Specially the right to configure the permissions of other roles (
> Registered user Role, Unregistered user Role, Blocked user Role and
> group-roles)
>
> The group-roles can be configured only by the super admin and registered user.
>
> I'm thinking of adding a div to the upload.html page. when "manage
> roles" button is pressed the present adminGallery div will be hidden
> and the new div will appear for handling roles
>
> When we use Json rpc  there is no way for the back end to identify who
> is sending the request, as it cant access the session.
> So I thought of implementing a token system. where a token will be
> given to the front end at the page loading using an http call. Then
> the front end will send the token with all the Json request  so the
> back end can process the request according to the session (the user
> and his permissions)
>

What I had done in the past was to configure specific operations (in
our case probably the whole service) with SCA policy, saying it
requires a specific role and the Tuscany runtime was handling the
authorization delegating to the Java EE server to handle provide a
list of roles for the given user.

	<component name="Catalog">
		<implementation.java class="services.FruitsCatalogImpl">
		    <operation name="get" policySets="allowManager"  />
		</implementation.java>
		<property name="currencyCode">USD</property>
		<service name="Catalog">
            <operation name="get" requires="authentication"/>

			<tuscany:binding.jsonrpc/>
		</service>
		<reference name="currencyConverter" target="CurrencyConverter" />
	</component>

Anyway, the policy thing is really just food for thought, as it would
require LDAP integration or some kind of User Repository integration
and would limit the type of servers we could run PhotArk.

[1] https://svn.apache.org/repos/asf/tuscany/sandbox/lresende/sca-1.x/samples/store-secure-webapp/
[2] https://svn.apache.org/repos/asf/tuscany/sandbox/lresende/sca-1.x/samples/store-secure-webapp/src/main/resources/store.composite

-- 
Luciano Resende
http://people.apache.org/~lresende
http://twitter.com/lresende1975
http://lresende.blogspot.com/

Mime
View raw message