Saturday, July 27, 2013

Re: GWT and Web Security



On Saturday, July 27, 2013 3:43:18 PM UTC+2, Jens wrote:
I am wondering if there is anything standards based a servlet container can provide when I only have a static set of permissions and customers can define their own roles by combining these permissions. I pretty much always need something like @PermissionRequired instead of @RolesAllowed in my apps because roles are not static. And in addition to method/class level permissions which only regulate what a user can do in the app I also need to authorize the data a user can see.

IIRC, JavaEE's perspective is that those "permissions" are "roles" in your app, and you're given the ability to map given "roles" to your app's own roles. The expectation is that this mapping is done in the admin console of your JavaEE application server, but you can also do it in the web.xml (e.g. a jetty/web-override.xml or similar in other servlet containers).

My workflow is
1.) UI is build based on a user account's assigned roles and their containing access permissions
2.) User account selects menu item (= access permission) in UI. 
3.) App figures out which of the assigned roles of the account contain the access permission for the selected menu item.
4.) App figures out which data the user account can see based on the active roles calculated in 3.) and filters the data accordingly before sending it to the client UI. 

To make 4.) possible a customer can assign "accessible data" to each role of a given user account. So "accessible data" can vary between user accounts for the same role.

If I am not totally wrong I think JAAS can't help me here and I did not find a lot of information about JASPI but maybe my googling is just bad in this case. Currently the above is a custom implementation but I am wondering if its a "lets re-invent the wheel" thing.

JAAS is about authenticating the user (given his credentials) and obtaining his roles. JASPI (aka JASPIC) is about how you obtain the credentials.
None of them are about using the user Principal's roles. javax.annotation.security annotations and getUserPrincipal and isUserInRole are part of the answer.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

No comments:

Post a Comment