User management [message #335073] |
Fri, 20 March 2009 09:22  |
Eclipse User |
|
|
|
Originally posted by: k.wint.mas_software.de
Hi all,
i am looking for user management in Eclipse RCP. Meaning i want to en/-
disable certain functionality within the RCP application based on user
roles.
What i found so far are activities. They basically provide the mechanism
needed. However, i see a securtiy issue since the activities are defined in
plugin.xml files which can be modified easily. So a "bad guy" could simply
change user roles/activities of the functionality he desires.
Besides that i haven't found another eclipse way of doing user management.
Two questions for you:
1) What is the standard way to do user managment within Eclipse?
2) Is there anything else out there?
Any hints and pointers are welcome!
Klaus
|
|
|
|
Re: User management [message #335078 is a reply to message #335073] |
Fri, 20 March 2009 09:57  |
Eclipse User |
|
|
|
Originally posted by: eclipse-news.rizzoweb.com
On 3/20/2009 9:22 AM, Klaus wrote:
> Hi all,
>
> i am looking for user management in Eclipse RCP. Meaning i want to en/-
> disable certain functionality within the RCP application based on user
> roles.
>
> What i found so far are activities. They basically provide the mechanism
> needed. However, i see a securtiy issue since the activities are defined in
> plugin.xml files which can be modified easily. So a "bad guy" could simply
> change user roles/activities of the functionality he desires.
Dealing with role-based security and functionality is always a two-part
problem. The first part involves only presenting and enabling UI for
functionality that the user's role(s) permit. That is where activities
helps you.
However, that is never enough; as you have pointed out, it is a poorly
secured application that relies on the UI to prevent a user from doing
something he is not authorized to do. There must be, in addition to the
UI convenience, a "back-end" authorization mechanism that blocks access
attempts by unauthorized users.
All this is to say that you're just running into the typical challenges
when building an application that requires authorization. In my
experience, there is not a lot of help out there in this area; the
pointer to OSGi Security is a good start, and you might also want to
look at Eclipse-JAAS (http://sourceforge.net/projects/eclipse-jaas)
Hope this helps,
Eric
|
|
|
Powered by
FUDForum. Page generated in 0.03500 seconds