Announcement Announcement Module
Collapse
No announcement yet.
Security in a standalone application on Windows Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security in a standalone application on Windows

    I want to use Acegi to protect my domain objects at method level using role based security.
    I can retrieve the user name and granted authorities from the OS.
    How can I inject these informations into Acegi ?

    I have to manage the concept of ownership. Some actions are only available to the owner of the object. I would like to have a ROLE_OWNER and give it the rights.
    How can I do that dynamic stuff ?

    With Acegi, if I call a secured method and the authenticated user has not the rights to execute the method, an exception is thrown.
    Is it possible to test if the user has the right without calling the method ?

  • #2
    To inject Windows authentication information, you could always delegate to a JAAS LoginModule that can access the details and then use Acegi Security's JaasAuthenticationProvider. See http://acegisecurity.sourceforge.net...-provider-jaas for more details.

    In terms of checking a user has a permission before calling a method, the easiest way would be to:

    Code:
    Authentication auth = SecureContextUtils.getSecureContext().getAuthentication()
    // then iterate auth.getAuthorities() for the expected/required role
    If the permissions are from an ACL permission (as opposed to a permission granted via the Authentication's GrantedAuthority[]s) you will need to access to AclManager. Most people tend to add some simple methods to their services layer, such as isAllowedDelete(Object domainObject), which is a void no-op method, but allows a quick check of permissions before sending it to the actual services layer. This is quite efficient, as ACL entries are cached in memory and not reaccessed from the DAO.

    Comment


    • #3
      Originally posted by Ben Alex
      In terms of checking a user has a permission before calling a method, the easiest way would be to:

      Code:
      Authentication auth = SecureContextUtils.getSecureContext().getAuthentication()
      // then iterate auth.getAuthorities() for the expected/required role
      Yes but I don't want the roles to appear in my code.

      http://acegisecurity.sourceforge.net seems to be currently unavailable !

      Comment


      • #4
        The web site is up now; I just tried. Probably a SourceForge problem.

        If you don't want hard-coded roles in your code (which is fair enough) you'll need to use the services layer no-op methods I mentioned in my previous post. This is more often used with ACL security (as it's more complex to check permissions easily from code and without doing an invocation), but there's nothing wrong with using it for roles as well.

        Comment


        • #5
          If I understand, I create a dummy method which needs the same rights as the true method and use the dummy to test the access.

          Comment


          • #6
            Originally posted by Patrick Vanhuyse
            If I understand, I create a dummy method which needs the same rights as the true method and use the dummy to test the access.
            That's right. I know it seems a bit contrived, but if you need to know sufficient permissions exist to invoke a method, and you don't want to check the permissions list manually in your code, it's really the only way you can do it.

            Comment

            Working...
            X