ObjectFilter: AOP Rule Based Object Access

Discussions

News: ObjectFilter: AOP Rule Based Object Access

  1. ObjectFilter: AOP Rule Based Object Access (6 messages)

    Brian McCallister ported his object-access security system to aspects. He liked it so much he has released it to the public. ObjectFilter is designed to make sure that particular data doesn't slip through the net, and protected data gets filtered out.

    Example Code
    public void testBlockReference()
        {
            Filter filter = Filter.instance();
            filter.setActor(new Object());
            filter.addRules(Teacher.class, new Rules()
            {
                public boolean allow(Object actor, Object instance)
                {
                    return false;
                }
            });

            Teacher mr_brown = new Teacher("Mr. Brown");
            ClassRoom english = new ClassRoom(mr_brown);
            assertNull(english.getTeacher());
        }

        public void testAllowReference()
        {
            Filter filter = Filter.instance();
            filter.setActor(new Object());
            filter.addRules(Teacher.class, new Rules()
            {
                public boolean allow(Object actor, Object instance)
                {
                    return true;
                }
            });

            Teacher mr_smith = new Teacher("Mr. Smith");
            ClassRoom english = new ClassRoom(mr_smith);
            assertEquals(mr_smith, english.getTeacher());
        }
    Read more in ObjectFilter: AOP Rule Based Object Access

    ObjectFilter Test Object Model

    Threaded Messages (6)

  2. Am I missing the point...[ Go to top ]

    I am failing to see how this example uses AOP, I am also failing to see why one would want to use it. And finally, I fail to see how it filters "objects" as in "objects are things with a unique identity". It must base its filtering on something (rules) that usually work on attributes, position in a list etc. but not on object identity.
  3. Am I missing the point...[ Go to top ]

    I am failing to see how this example uses AOP
    It seems pretty straight forward to me. The Collection filter and the Reference filter define a pointcut on returnedBy(), and invoke Filter.allow() on the returned objects. I think it safely qualifies as AOP. It seems a lot more powerful and simpler than the security framework supplied by J2EE.

    Also, I like the trend where people are describing their Aspects like Brian's Security aspect and Jon's Undo Aspect (http://blogs.codehaus.org/people/tirsen/archives/000690_undo_in_aspectj.html) using test cases. It shows how expressive a well-written test case can be as opposed to pieceing together a bunch of .aj and .java files.
  4. AOP[ Go to top ]

    How it uses AOP:
    Umh, go download the tarball and look at the implementation =)

    Why use it?
    http://bank.example.com/getAccountInfo?accountID=776234

    Sure the bank puts safeguards against this. It is disturbing how often these are circumvented. This is a safeguard that is particularly difficult to circumvent.

    Filtering Objects and Rules
    Umh, it allows the client code to access them or not access them based on the rules. The sample rules are pretty pointless. They are tests with only one output. Take a rules system which allows you to, say, populate bean properties into the working memory, use that to assert the values on the instance and actor. Run the rules, examine the memory for the pass/fail info. That might be one way to use it =)

    -Brian
  5. AOP and rules[ Go to top ]

    Take a rules system which allows you to, say, populate bean properties into the working memory, use that to assert the values on the instance and actor. Run the rules, examine the memory for the pass/fail info. That might be one way to use it =)-Brian
    For a concrete example of using rules system with AspectJ, you may want to look at Chapter 12 of my book AspectJ in Action. I use Jess rule engine along with aspects to implement business rule. Source code is available for download at http://www.manning.com/catalog/view.php?book=laddad&item=source
  6. Ramnivas's Book[ Go to top ]

    I'll second the above comment -- Ramnivas Laddad's book is spectacular (even if he is pimping it himself here ;-)

    -Brian
  7. The bank and the rules[ Go to top ]

    The bad thing is of course, that if a bank uses a rules engine to manage access to accounts it will probably screw up any audit imposed upon it.

    It is not a safeguard that is difficult to circumvent! It is rather one that is easy to impose (and hard to forget to). This is a fundamental difference.