Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Rich Client Platform (RCP) » Role-based security
icon5.gif  Role-based security [message #522684] Tue, 23 March 2010 15:29 Go to next message
Craig Foote is currently offline Craig Foote
Messages: 195
Registered: July 2009
Senior Member
I've been tasked with implementing a role-based security system for our RCP application. I've done some research but have found very little so I'm wondering what the developers here are using.

So far I've got the notion of org.eclipse.ui.activities extensions identifying UI contributions and hiding them unless the activities get enabled. To determine if an activity should be enabled I'm thinking of publishing an OSGi service implementing org.osgi.service.useradmin.UserAdmin backed by an LDAP system. When a plugin starts, it could get the service and ask if the logged-in user has a given role and, if so, enable its associated activity.

A couple questions:
1. Why can I not find any consumers of UserAdmin in the wild? What are others using?

2. What if another rogue bundle registers itself as a service under the UserAdmin interface? When the consuming plugin requests the service, presumably using a ServiceTracker, how can I guarantee it gets my implementation and not the sneaky rogue one? I've done some Declarative Service work and seen some talk of injecting a service. Could that be a solution? How exactly is that done anyway?

Any and all comments greatly appreciated.

Craig Foote Confused
Re: Role-based security [message #523176 is a reply to message #522684] Thu, 25 March 2010 12:42 Go to previous messageGo to next message
Eclipse User
Originally posted by: kai.edinger.drexler-software.de

Am 23.03.2010 16:29, schrieb Craig Foote:
> I've been tasked with implementing a role-based security system for our
> RCP application. I've done some research but have found very little so
> I'm wondering what the developers here are using.
>
> So far I've got the notion of org.eclipse.ui.activities extensions
> identifying UI contributions and hiding them unless the activities get
> enabled. To determine if an activity should be enabled I'm thinking of
> publishing an OSGi service implementing
> org.osgi.service.useradmin.UserAdmin backed by an LDAP system. When a
> plugin starts, it could get the service and ask if the logged-in user
> has a given role and, if so, enable its associated activity.
>
> A couple questions:
> 1. Why can I not find any consumers of UserAdmin in the wild? What are
> others using?
That is a good question.

> 2. What if another rogue bundle registers itself as a service under the
> UserAdmin interface? When the consuming plugin requests the service,
> presumably using a ServiceTracker, how can I guarantee it gets my
> implementation and not the sneaky rogue one?
This can be done by using a ServiceTrackerCustomizer. With in the
Customizer you can reject Services.

> I've done some Declarative
> Service work and seen some talk of injecting a service. Could that be a
> solution? How exactly is that done anyway?
This is one solution. Your Service can reference the User Admin Service.
Another way can be security and the Conditional Permission Admin.

> Craig Foote :?

Kai
Re: Role-based security [message #523197 is a reply to message #522684] Thu, 25 March 2010 13:28 Go to previous messageGo to next message
Eclipse User
Originally posted by: kai.edinger.drexler-software.de

Am 23.03.2010 16:29, schrieb Craig Foote:
> I've been tasked with implementing a role-based security system for our
> RCP application. I've done some research but have found very little so
> I'm wondering what the developers here are using.
>
> So far I've got the notion of org.eclipse.ui.activities extensions
> identifying UI contributions and hiding them unless the activities get
> enabled. To determine if an activity should be enabled I'm thinking of
> publishing an OSGi service implementing
> org.osgi.service.useradmin.UserAdmin backed by an LDAP system. When a
> plugin starts, it could get the service and ask if the logged-in user
> has a given role and, if so, enable its associated activity.
We have choosen a other way. We don't use OSGi at this point. We use a
Eclipse-Plugin that enable or disable the activities. This plugin has it
own Extension Point, that assosiate an activity with a role.

Kai
Re: Role-based security [message #523333 is a reply to message #523197] Thu, 25 March 2010 22:49 Go to previous messageGo to next message
Craig Foote is currently offline Craig Foote
Messages: 195
Registered: July 2009
Senior Member
I'll look into the Customizer, thanks for the tip!

Am I correct in thinking the plugin that declares the extension point has early startup and parses extensions to its e.p. to enable activities (based on user creds)?

Can you provide a little more info on the "Conditional Permission Admin" or is that the extension mechanism you speak of? Is it custom or eclipse API?

Craig
Re: Role-based security [message #523388 is a reply to message #523333] Fri, 26 March 2010 09:34 Go to previous message
Eclipse User
Originally posted by: kai.edinger.drexler-software.de

Am 25.03.2010 23:49, schrieb Craig Foote:
> I'll look into the Customizer, thanks for the tip!
> Am I correct in thinking the plugin that declares the extension point
> has early startup and parses extensions to its e.p. to enable activities
> (based on user creds)?
No, I think the early starup is the wrong place, because you can be sure
the the Workbench already exists. We do this in the
WorkbenchWindowsAdviser.postWindowOpen().


> Can you provide a little more info on the "Conditional Permission Admin"
> or is that the extension mechanism you speak of? Is it custom or eclipse
> API?
The "Conditional Permission Admin" is part of the OSGi R4 specification
(Compendium). It based on Java security and provide a mechnism to change
rights at runtime based on some conditions like the prinicpal logged in.

In default the java security is very static, because it is file based
(java.policy, java.login). The Conditional Permission Admin remove this
limitation.

But be aware, this is only useful in oder to ensure a high security on
how is execute which code. If you only want to have a role based ui for
an desktop application, I think activities are the best way to do this.

Kai
Previous Topic:Creating my own console in my RCP, redirecting output, want the same coloring as in normal console
Next Topic:Embed native app
Goto Forum:
  


Current Time: Tue Sep 16 15:46:01 GMT 2014

Powered by FUDForum. Page generated in 0.02743 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software