|
Sponsored Links
Resources
Enterprise Java
Research Library
Get Java white papers, product information, case studies and webcasts
|
General J2EE
General J2EE
General J2EE
|
Messages: 2
Messages: 2
Messages: 2
Printer friendly
Printer friendly
Printer friendly
Post reply
Post reply
Post reply
XML
XML
XML
|
 |
Application Access Control List
Hi there,
I would just like to ask anyone out there who has ever programmed an application that allows an administrator(through a web interface) to control which page or option or field of a form are available and whether they are read only , editable or not, whether a user has the rights to delete or not based on the authorizations a person is given. I am sure there are applications out there that have been developed with such features but how messy or complicated were they?
currently, the only thing i coud think of is using custom tags and surrounding the element of a form and the custom tag will check if the current user as rights to element of this form, if the user does, the custom tag will display the element but if it doesnt, it will not. but however, this approach also has its disadvantages: what if i have client side scripting that references this element and the user does not have acccess rights to this element, wont that result in a javascript error? or do i have to surround the script that affects that element with a acl custom tag as well? if that is the case, wouldnt that be very messy? in such an approach, i think i would have to give a unique identifier to each and every element, page, form, and that information would be stored in the database but i think that would be extremely hardcoded cos the application needs to know the link between the identifier in the database and the element in form and for that to happen, the identifier of the element would have to hardcoded into the jsp page for example.
to programme an application with page control(controls which page a user can see or not) is not too difficult but to not only control that page access and also the visibility of those fields in that page and its properties such as editable or not, i think it might be quite a headache
if i were to store all these access control list information in a database, how would the information be organized ?
i have come across applications that store references to elements to a form in a page as a "page.form.element" string so that at first glance, it becomes immediately recognizable in the database to a human to which element in the form does this permission belong to and the application also uses this string(the identifier) to match its permissions according to the the user rights.
is there already a design pattern out there already for this issue? I hope seasoned developers might be able to give me some pointers or shed some light into this issue cos i think a lot of people might faced the same task and go about it in different ways, some better than the others , some worse
Thanks!!!
|
|
|
Message #128471
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Application Access Control List
Hi Benjamin,
I was recently involved with a project that wanted to do something similar. They 'needed' fine grained access control for every screen element (forms and content) based on user roles. And, of course, configurable at runtime via some web pages.
Our approach was similar to what you described - wrap critical sections with a guarding tag:
<security:hasPermission name="<%= Permission.EDIT_PERSON_SOCIAL_SECURITY_NUMBER %>" >
...
</security:hasPermission>
The Permission object defined constants in the format of PAGE_NAME_SCREEN_ELEMENT_NAME. The Permission object validated itself against values in the database at system startup.
The servlet/action that received the form needed a similar check to avoid accepting an empty value by accident and to prevent the 1% of 1% that might hack the value into a HTTP get/post.
We did not go ahead with this approach for several reasons:
1. Our JSP and servlet/action code would be very messy. And yes, your client side scripting code would have to be aware of the security issues. It is really nasty.
2. The development time to create the infrastructure, cost to retrofit 10% of the project that had been delivered, and overhead cost to do it for every JSP and servlet/action going forward.
3. After further discussions with the client, the areas of security concern were places where user roles overlapped. The application had a handful of these areas so we took the easy way out by creating some role specific pages.
Here is what I suggest:
1. Talk with your client/requirements/whoever folks to determine whether you need an application wide solution.
2. Examine what template engines have to offer.
I hope that helps. Good luck,
Richard
|
|
|
Message #128546
Post reply
Post reply
Post reply
Go to top
Go to top
Go to top
|
|
Application Access Control List
Hello Richard,
Thanks for your help. I appreciate it very much, didnt expect an elaborate answer but the details sure helped. You have been very kind. At least I now know that I am not the only one facing this problem. Thanks a million!!!
|
|
|
| New content on TheServerSide.comNew content on TheServerSide.comNew content on TheServerSide.com |
|
|
Reza Rahman continues to explore the features of the proposed JSR 299, Contexts and Dependency Injection for Java EE (CDI). When approved, it promises to be a key feature of Java EE 6.
(January 21, Article)
Ted Neward is an independent consultant specializing in high-scale enterprise systems, and an authority in Java and .NET technologies. He is the author and co-author of several books, including Effective Enterprise Java. At TheServerSide Java Symposium in March, he will be presenting sessions on pragmatic architecture, ECMAScript and Scala.
(January 15, Article)
Now that Oracle is absorbing Sun Microsystems, there mixed views on what should come of the Java Community Process (JCP). While some say Oracle should become the new steward of Java and keep the JCP much as it was, others argue that it may be time to open-source this widespread language.
(November 24, Article)
Reza Rahman explores the features of the proposed JSR 299, Contexts and Dependency Injection for Java EE (CDI). When approved, it promises to be a key feature of Java EE 6.
(November 2, Article)
SAML is an XML-based standard for exchanging authentication and authorization data between security domains. The single most important problem that SAML was created to solve is the Web browser Single Sign-On problem. Many organizations are debating whether to stay with version 1.1 or move to 2.0. This article makes observations about both options.
(September 28, Article)
Joe Ottinger takes a look at how people learn, and applies it to the practice of programming. He notes that understanding how people learn is an essential part of working in a programming team.
(September 22, Article)
Stephen Maryka gave us an article about the Asynchronous Web and posed a number of questions that get examined like an approach to delivering Asynchronous Web capabilities through extensions to existing Java EE technologies.
(July 14, Article)
JavaServer Faces Flex goal is to provide users capability in creating standard Flex components, part of flexSDK which is open sourced through MPL license, as normal JSF components. This article by Ji Hoon Kim will provide an overview of creating a simple multilingual JSF page consisting of JSF Flex tags.
(June 29, Article)
In this session Jeff explores the key characteristics of successful SOA projects. He covers some of the patterns, and anti-patterns, tool sets, and strategies that he himself learned the hard way. Last, he provides a strategy and blueprint for achieving a high likelihood of success in your SOA project.
(June 23, Tech Talk)
Ari Zilka, CTO of Terracotta, Inc., talks about the new features in Terracotta 3.1, announced during JavaOne and available now.
(June 15, Tech Talk)
In this Tech Talk, Josh Long explores an integration challenge using Spring Integration and walks through the implementation, employing and expanding on the basic patterns of Enterprise Application Integration to tie together components into a function integration solution, and then demonstrates how Spring Integration helps address the integration requirements.
(June 15, Tech Talk)
In this Tech Talk, David Geary teaches you: The basics of Google Web Toolkit; How to implement Ajax-enabled applications in Java; Internationalization; Hooking into the browser history mechanism; Remote procedure calls.
(June 4, Tech Talk)
Jon Kern discusses the best architecture/technical solutions and ensure that they are repeated by all developers. By tackling the architecture up-front in a serial manner, subsequent parallel development will be much more manageable and predictable.
(May 28, Tech Talk)
This keynote describes the frustrations of modern knowledge workers in their quest to actually get some work done, and solutions for how to guard yourself against all those distractions. Neal Ford talks about environments, coding, acceleration, automation, and avoiding repetition as ways to defeat the misguided attempts to sap your ability to produce good work.
(May 26, Tech Talk)
Gil demonstrates how new, aggressive uses of already abundant compute capacity by common applications offer competitive value for application designers.
(May 21, Tech Talk)
Chris Keene introduces WaveMaker as a new way to automate the ability to generate Hibernate classes in order to more quickly bring OR mapping into an application.
(May 19, Article)
Mastering EJB was one of the original and most influential EJB books in the industry. Mastering EJB III now returns with two new expert co-authors, updated for EJB 2.1 and 30% new chapters including security, integration, best practices, open source, and more.
(Book PDF Download)
The Application Server Matrix is a detailed listing of J2EE vendors and their application server products, with information on latest version numbers, J2EE spec support and licensing, pricing, platform support, and links to product downloads and reviews.
(Application Server Comparison Matrix)
|
|
