Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » scout » Authorization/Permissions: resource-level access(Authorization/Permissions and Resource Level access)
icon5.gif  Authorization/Permissions: resource-level access [message #1058033] Fri, 10 May 2013 10:45 Go to next message
Andriy Fomenko is currently offline Andriy Fomenko
Messages: 19
Registered: May 2013
Junior Member
I'm looking through Scout tutorials right now, so this is a newbie question which may be already answered (although searching this forum yielded no result), so please point to FAQ entry if such exists Embarrassed

I do like a lot the way how Authentication/Authorization is transparently done, but it looks like I'm missing a critical piece for my application.

It is quite easy to define an entity and to provide access control within basic or hierarchy-based access permissions: this is great... but it pretty much requires permissions to be defined by the programmer at compilation time and then they are static.

What I need is to have a way to control access to certain resources which will be defined b y the customer AFTER application is deployed there.

to make it simple: let's say customer' admin wants to register few "sensors", which he will individually grant to roles and subsequently to users A and B. Each user has different access levels to each individual sensor, they even see a different set of sensors! Programmer knows nothing about these sensors: these are to be provided as some "customer object" entity type and to be allowed to be manipulated in the application, but final permissions are to be assigned based on the configuration created by the application admin.

Out of how it is done in other places, this is basically covered as "Instance Level" (shiro.apache.org/java-authorization-guide.html) access in Apache Shiro security framework and my scenario is directly mapped into "WildCard permissions / Instance-Level Access control" (shiro.apache.org/permissions.html) there.

I could of course work on tying up Apache Shiro into my Scout pilot project, but it would likely disrupt a relevant "magic flow" in Scout and I just can not believe such a comprehensive framework as Scout would miss such a use case.... so I'm automatically assuming that I simply look in a wrong place.

Can anybody of [mighty] Gurus point me in right direction please ?

Report message to a moderator

Re: Authorization/Permissions: resource-level access [message #1058051 is a reply to message #1058033] Fri, 10 May 2013 12:01 Go to previous messageGo to next message
Ivan Motsch is currently offline Ivan Motsch
Messages: 99
Registered: March 2010
Member
At this Point Scout is completely JAAS compliant.

The interesting Point for you is the AccessControlService that - at runtime - builds a Permissions permission collection for each user.

The permission collection is part of the Java security api. Take a look at AccessControlService.execLoadPermissions().
Here you are completely free how you build up the Permissions collection.
This is the Point where you add "known" permission Java classes but also "derived" dynamic permissions. Just follow the Java Standard way of how java.security.Permission works (the #implies concept) and you can easily create for example a DynamicPermission that is subclassed by BasicPermission or even has ist own implies implementation based on some external dta storage etc.

Does this help further?

Report message to a moderator

Re: Authorization/Permissions: resource-level access [message #1058065 is a reply to message #1058051] Fri, 10 May 2013 13:48 Go to previous message
Andriy Fomenko is currently offline Andriy Fomenko
Messages: 19
Registered: May 2013
Junior Member
Thank you Ivan, it does help!

Just retelling: basically you are suggesting that a collection of permissions is created upon user login and will be cached, thus I can subclass base abstract permission classes to include my custom functionality and I will inject context (attachment to particular entries in table / form data / etc..) on "xyzProcessService" level?

If you don't mind, please clarify:

  1. Is it any common/implied utility to inject context like xyzFormData or similar.. OR do I need to pass it as explicit parameters ?
  2. Is any implied request caching utility present or is it custom ?


Thank you,

Andrey F.

Report message to a moderator

Previous Topic:Missing property changes in Custom Field
Next Topic:How to access settings from config.ini
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Mon Mar 10 23:17:38 EDT 2014

Powered by FUDForum. Page generated in 0.01792 seconds