Webware for Python

Hello Webware folks.

We've been working on some account-kit type code (we hope to contribute 
the results of this account stuff to the Sandbox soon) and I whomped up 
this security experiment.

My idea was to use the new "metaclass" feature in concert with some of 
its the new low-level methods to implement read, write, execute security 
on the sub-object (attribute) level. Then, an application level class 
(like a CMS object) could inherit from this security class and have 
easy/transparent security.

The code is fairly elementary, and the security tests it is doing are 
not interesting (just a look up table) but we'd appreciate the 
collective wisdom and comments of this group.

This will probably only work in Python 2.2.

Stuff we're interested in:
- is this likely to be future-proof with python's evolution?
- is this a good/stupid idea?
- did someone do this already in a mature package?
- any ideas for more interesting/useful credential system?
- anything else you may care to add

Thanks!

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Aaron Held <aaron@Me...> - 2003-05-09 01:35 I like the idea of a cred object, but the IMHO the fine grained permission should come from the object that the security is applied to. I would also like to see the creds be outside of the object. Take a CMS example. I have an object class News(Secure): With your system I would call something like myStory = news(storyID=5,creds=user.creds()) try: myStory.title = 'I Just wanted to change the title' catch AccessDenied print "Sorry, you lose" Alternatively the A NewManager object could work with the cred object class NewsManager: def updateNews(user,storyID,newNews): if user.creds.role.has('editor') and user.company == 'TheDotInCom.Com': return self.updateNewsToDatabase(storyID) else: raise AccessDenied def getNews(user,storyID): if user.creds.role.has('editor') and user.company == 'TheDotInCom.Com': return self.getNewsFromDatabase(storyID) myStory = newsManager.getStory(5) myStory.title='I changed this' try: newsManager.updateStory(5,myStory) except: print "You lose" Now that I wrote this all out I think that I understand. In my way I have to write an IF statement as well as raise an exception in each protected method. In your way I would just have to define a table somewhere. It is very much in the spirit of the Java system, interesting idea. -Aaron So rather then something like: Matt Feifarek wrote: > Hello Webware folks. > > We've been working on some account-kit type code (we hope to > contribute the results of this account stuff to the Sandbox soon) and > I whomped up this security experiment. > > My idea was to use the new "metaclass" feature in concert with some of > its the new low-level methods to implement read, write, execute > security on the sub-object (attribute) level. Then, an application > level class (like a CMS object) could inherit from this security class > and have easy/transparent security. > > The code is fairly elementary, and the security tests it is doing are > not interesting (just a look up table) but we'd appreciate the > collective wisdom and comments of this group. > > This will probably only work in Python 2.2. > > Stuff we're interested in: > - is this likely to be future-proof with python's evolution? > - is this a good/stupid idea? > - did someone do this already in a mature package? > - any ideas for more interesting/useful credential system? > - anything else you may care to add > > Thanks!

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Matt Feifarek <matt@da...> - 2003-05-09 02:27 Aaron Held wrote: > I like the idea of a cred object, but the IMHO the fine grained > permission should come from the object that the security is applied > to. I would also like to see the creds be outside of the object. Yeah, the Cred thing is pretty braindead; I just needed something that I could test against. In theory, the object itself (or the class) would have something akin to the Validator concept in Ian's FFK (and shamefully ripped off for our own FormKit)... they would stack up and return true or false... I just didn't want to get bogged down on that for this experiment. > Now that I wrote this all out I think that I understand. In my way I > have to write an IF statement as well as raise an exception in each > protected method. In your way I would just have to define a table > somewhere. > It is very much in the spirit of the Java system, interesting idea. I wanted the exception; I want to be able to bubble it up as far as it needs to go; if no code catches it, it could bubble way up to the top level of the application, and ultimately the servlet. If code DOES catch it, the "security violation" can be as broad or as narrow as the application needs.

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Matt Feifarek <matt@da...> - 2003-05-09 02:31 tshumway@... wrote: >But if the higher level application class overrides the low-level methods, >goodbye security. > > Well, sure, of course. But that can't happen from a client in a client/server application. If you override the __getattribute__ method in your own classes, you'll break this. I'm not sure that there's any way around that. This isn't meant to protect programmers against themselves; it's meant to be an easy way for applications to have security and for the violations to bubble up as exceptions, so they can be caught at any arbitrary level. >Given the state of flux with attribute access, descriptors, etc. I would be very >wary. > > Yeah. That's kindof what I think. >Have you looked at Bastion in the standard library? This level of access >control is most useful with rexec. > > No; I will now. Thanks! >Have you looked at zope's security model? Zope tends to overdo many things >(IMO), but they have been working on it a very long time, and are sure to have >learned something useful from practical experience. > > Every time I try and look at zope's anything, I get so confused I give up quickly. It doesn't seem that things are very seperable; I'll go back for a second look, though. Thanks for the rec. >About a year ago I spent two days pondering some releated problems > > http://oss.jdiworks.net/projects/jaguar/access/ > > Excellent. Thanks, I'll look your code over. >(Right now I have signup, login, and logout working -- no roles or permissions >yet. I'll post it this weekend.) > > We've got those things going, but the permission is only at the servlet level; we wanted to go deeper. Thanks for your comments and references. -- Matt

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Ian Bicking <ianb@co...> - 2003-05-09 04:43 A couple implementation thoughts: Method gets could return a wrapper on the method, that might look like: class MethodWrapper(object): def __init__(self, method, credential): self.method = method self.credential = credential def __call__(self, *args, **kw): if not credential.execute(self.method, *args, **kw): raise AccessDenied(...) return self.method(*args, **kw) Then the credential could have a more fine-grained access control over methods. I would think the credential should also be passed the object in question as well, i.e., credential.write(self, name). Oh, and I think you want __setattribute__ instead of __setattr__. That said... hmm. I feel like a proxy would work better. Then you would wrap an object in a proxy, and that proxy would also be associated with a user. This way you could wrap global objects for access by individual users, where in this case you would have to recreate the object for each user. There's certainly more to think about in this. For instance, what state should the credential carry around? How should it be attached to actual access? Implicit, or explicit? I personally don't see anything wrong with passing the credential around explicitly. I'm more interested on what its internal state should look like. Well, food for thought... On Thu, 2003-05-08 at 12:50, Matt Feifarek wrote: > Hello Webware folks. > > We've been working on some account-kit type code (we hope to contribute > the results of this account stuff to the Sandbox soon) and I whomped up > this security experiment. > > My idea was to use the new "metaclass" feature in concert with some of > its the new low-level methods to implement read, write, execute security > on the sub-object (attribute) level. Then, an application level class > (like a CMS object) could inherit from this security class and have > easy/transparent security. > > The code is fairly elementary, and the security tests it is doing are > not interesting (just a look up table) but we'd appreciate the > collective wisdom and comments of this group. > > This will probably only work in Python 2.2. > > Stuff we're interested in: > - is this likely to be future-proof with python's evolution? > - is this a good/stupid idea? > - did someone do this already in a mature package? > - any ideas for more interesting/useful credential system? > - anything else you may care to add > > Thanks! > > ______________________________________________________________________ > > # Copyright (C) 2003, dAlchemy, Inc: http://www.dalchemy.com > > from types import MethodType > > class AccessDenied( Exception ): > '''probably should put some logging code in here or something''' > pass > > > class Secure(object): > '''An abstract class that checks for security when accessing attributes and methods''' > # note that this class defaults to no access; it can easily be extended to also have > # default full-access, and this could then be set by a switch > def __init__( self, credential=None ): > '''Pass in a hook to a credential object...''' > object.__setattr__(self,'_credential',credential) > > > def __getattribute__( self, name ): > '''override the base to put in security checks''' > # this one covers read and execute access... > # read is for attributes, execute is for methods > credential = object.__getattribute__(self,"_credential") > > > # this logic tree can no-doubt be tightened-up, but I want it to be clear > # for illustrative purposees > thing = object.__getattribute__(self,name) > if credential: > if type(thing) == MethodType: > if credential.execute(name): > return thing > else: > raise AccessDenied, "Don't have execute access for %s()" % name > else: > # if it's not a method, we're interested in read access > if credential.read(name): > return thing > else: > raise AccessDenied, "Don't have read access for %s" % name > else: > raise AccessDenied, "No credentials for %s" % name > > > def __setattr__( self, name, value ): > '''override the base to put in security checks''' > credential = object.__getattribute__(self,"_credential") > if credential and credential.write(name): > object.__setattr__(self,name,value) > else: > raise AccessDenied, "Don't have write access to %s" % name > > > > class Credential(object): > '''This is a highly bogus object, just set up to provide me something to test against; > this lookup table can be replaced with application-meaningful tests, of course''' > def __init__( self ): > self._read = { > 'zilch':1, > 'foo':0, > 'bar':1, > } > self._write = { > 'zilch':1, > 'foo':1, > } > self._execute = { > 'bar':0, > 'baz':1, > } > > def read( self, item ): > return self._read.get(item) > > def write( self, item ): > return self._write.get(item) > > def execute( self, item ): > return self._execute.get(item) > > > > ############################################################################################ > ## this is a bogus test class > > class Test( Secure ): > def __init__(self,credential=None): > Secure.__init__(self,credential) > self.foo = "foo attr" > self.zilch ="zilch attr" > > def bar(self): > return "bar method" > > def baz( self ): > return "baz method" > > > ############################################################################################ > > test = Test( Credential() ) > > # now, do something like > > print test.foo # this will crash > print test.zilch = "overwrite" > > print test.bar() # this will crash > print test.baz() > >

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Ian Bicking <ianb@co...> - 2003-05-09 04:46 On Thu, 2003-05-08 at 21:28, Matt Feifarek wrote: > Yeah, the Cred thing is pretty braindead; I just needed something that I > could test against. In theory, the object itself (or the class) would > have something akin to the Validator concept in Ian's FFK (and > shamefully ripped off for our own FormKit)... they would stack up and > return true or false... I just didn't want to get bogged down on that > for this experiment. FWIW, Validator has become the center of my next-generation form processing system (FormEncode in the sandbox) -- the validator replaces FormDefinition and FormServlet, i.e., a single validator represents the entire input. But the changes to Validator aren't large (mostly some naming tweaks). Ian

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Aaron Held <aaron@Me...> - 2003-05-09 14:32 Attachments: Message as HTML      I finally stated coding a new CMS (well I created the directory at least) and am working on a new module to pull News Artilcls out of PostNuke. So currently I have a ContentManager that returns a news object. The News object can be passed directly to Cheethah/psp for rendering of the story, and I also want it to contain FFK information so that it can also be used to render itself in an editable fasion. By storing the News object in a user session I will then have the ability to let the user keep a story in an 'editing' mode across multiple HTML pages until they are ready to commit the changes. At that point they pass it back to ContentManger.update(user,news) Is this consistent w/ the new FormEncode? I'll check it out over the weekend. -Aaron Ian Bicking wrote: >On Thu, 2003-05-08 at 21:28, Matt Feifarek wrote: > > >>Yeah, the Cred thing is pretty braindead; I just needed something that I >>could test against. In theory, the object itself (or the class) would >>have something akin to the Validator concept in Ian's FFK (and >>shamefully ripped off for our own FormKit)... they would stack up and >>return true or false... I just didn't want to get bogged down on that >>for this experiment. >> >> > >FWIW, Validator has become the center of my next-generation form >processing system (FormEncode in the sandbox) -- the validator replaces >FormDefinition and FormServlet, i.e., a single validator represents the >entire input. But the changes to Validator aren't large (mostly some >naming tweaks). > > Ian > > > >

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Terrel Shumway <tshumway-sf@jd...> - 2003-05-09 17:24 Quoting Aaron Held <aaron@...>: > I like the idea of a cred object, "credential" is a term normally used in *authentication* -- verifying that an actor is who he claims to be. What we are dealing with is *authorization* -- verifying that the authenticated user is allowed to perform a particular action on a particular object. "permission" and "access control list" are more appropriate names. > but the IMHO the fine grained > permission should come from the object that the security is applied to. > I would also like to see the creds be outside of the object. > > Now that I wrote this all out I think that I understand. In my way I > have to write an IF statement as well as raise an exception in each > protected method. In your way I would just have to define a table > somewhere. > It is very much in the spirit of the Java system, interesting idea. > > -Aaron There is no shorcut. Any authorization problem reduces eventually to a boolean function of three elements. 1) the actor 2) the action 3) the recipient (acted upon) Whether that function is defined in code or in a table, it still has to exist. Whenever you try to make one of these disappear from the mainline code, you have to push it into the context somehow (e.g. in the NewsManager, in the NewsStory, or in the "cred" object). This is not necessarily A Bad Thing, but I am not convinced that the Java system is any more clear than others. I like to have all three out in the open so I can see what is going on. If, for a particular application, it makes sense to hide one in the context, I will do it -- but I want the choice to be concious. A closely related problem, *access*, might be defined as "how the user presented the request", e.g. source IP address, protocol. Apache's request processing calls handlers in this order: Access, Authentication, Authorization. To add to the confusion In the Access phase, you would return HTTP_FORBIDDEN to indicate that access is not allowed. In the Authentication phase, you would return HTTP_UNAUTHORIZED to indicate that the required credentials are missing or invalid. In the Authorization phase, you would return HTTP_FORBIDDEN to indicate that the action is not allowed. The Authentication handler often handles Authorization too. (e.g. mod_auth does both.) (If I were designing HTTP today 8-), I might name the respective codes HTTP_ACCESS_DENIED, HTTP_NOT_AUTHENTICATED, and HTTP_NOT_ALLOWED.) hmmmm... some food for thought. -- Terrel

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: <tshumway@jd...> - 2003-05-09 00:28 Quoting Matt Feifarek <matt@...>: > Hello Webware folks. > > We've been working on some account-kit type code (we hope to contribute > the results of this account stuff to the Sandbox soon) and I whomped up > this security experiment. > > My idea was to use the new "metaclass" feature in concert with some of > its the new low-level methods to implement read, write, execute security > on the sub-object (attribute) level. Then, an application level class > (like a CMS object) could inherit from this security class and have > easy/transparent security. But if the higher level application class overrides the low-level methods, goodbye security. > > The code is fairly elementary, and the security tests it is doing are > not interesting (just a look up table) but we'd appreciate the > collective wisdom and comments of this group. > > This will probably only work in Python 2.2. > > Stuff we're interested in: > - is this likely to be future-proof with python's evolution? Given the state of flux with attribute access, descriptors, etc. I would be very wary. > - is this a good/stupid idea? Have you looked at Bastion in the standard library? This level of access control is most useful with rexec. > mature package? Have you looked at zope's security model? Zope tends to overdo many things (IMO), but they have been working on it a very long time, and are sure to have learned something useful from practical experience. > - any ideas for more interesting/useful credential system? About a year ago I spent two days pondering some releated problems http://oss.jdiworks.net/projects/jaguar/access/ I am just now digging it out and dusting off the cobwebs because I have a clear and present need for it. I, too, would like some feedback if anyone cares to take a look. UserKit does not go quite far enough for my purposes. AccountKit sounds like an appropriate name. (Right now I have signup, login, and logout working -- no roles or permissions yet. I'll post it this weekend.) HTH -- Terrel

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Ian Bicking <ianb@co...> - 2003-05-10 06:53 On Thu, 2003-05-08 at 19:29, tshumway@... wrote: > > My idea was to use the new "metaclass" feature in concert with some of > > its the new low-level methods to implement read, write, execute security > > on the sub-object (attribute) level. Then, an application level class > > (like a CMS object) could inherit from this security class and have > > easy/transparent security. > > But if the higher level application class overrides the low-level methods, > goodbye security. I think you're looking at this wrong -- hard security, like Zope uses, is one thing, but this is soft security. *All* the code is trusted. This is about making a framework so that code can see whether the logged-in user is sufficiently trusted. At least that's how I read it -- and certainly what I'd be looking for, since untrusted code is way too difficult to work with (and the limitations it creates are one of the things that makes Zope so hard to work with as a Python programmer). > > Stuff we're interested in: > > - is this likely to be future-proof with python's evolution? > > Given the state of flux with attribute access, descriptors, etc. I would be very > wary. I don't think there's any flux. 2.2 has been out for a while, 2.3 makes no changes on this front, and there's clearly a commitment to the semantics of new style classes. Even in 3.0 I wouldn't expect any changes. Guido et. al. have specifically expressed their commitment to not changing this stuff. Ian

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Max Ischenko <max@ma...> - 2003-05-12 12:12 > We've been working on some account-kit type code (we hope to contribute > the results of this account stuff to the Sandbox soon) and I whomped up > this security experiment. > My idea was to use the new "metaclass" feature in concert with some of > its the new low-level methods to implement read, write, execute security > on the sub-object (attribute) level. Then, an application level class > (like a CMS object) could inherit from this security class and have > easy/transparent security. > The code is fairly elementary, and the security tests it is doing are > not interesting (just a look up table) but we'd appreciate the > collective wisdom and comments of this group. > This will probably only work in Python 2.2. > Stuff we're interested in: > - is this likely to be future-proof with python's evolution? > - is this a good/stupid idea? > - did someone do this already in a mature package? > - any ideas for more interesting/useful credential system? > - anything else you may care to add IMHO, embedding credential system into data classes is solving the wrong problem. Security policy should operate on quite different (and higher) level instead of controlling access to object's bits. "code access security" feels mostly like a marketing buzzword to me. Take a look at .NET architecture, for example. They have both "code access security" (to protect you from running malicious code from Internet) AND role-based security framework which provides identity, authentication and authrization. May be you could steal some good ideas from there, like I did for my last Webware project. I've built simple role-based security when access to a web page is granted based on user's credentials and access policy for that page (thru the config file). Code excerpts are given below. class UserManager: def __init__(self, store): self.users = [] self.store = store def isLoggedIn(self, user): return user in self.users def logInUser(self, name, password, address): def getUserInfo(self, name): class UserInfo: def __init__(self, userinfo): def getRoles(self): def getPassword(self): def containsAddress(self, address): class User: """ Represents a user of the system. A user is identified by it's name, authenticated by password and can "play" one or more "roles". Users are managed by the L{UserManager}. """ def __init__(self, mgr, name, roles=[]): self.mgr = mgr self.name = name self.roles = roles def isLoggedIn(self): return self.mgr.isLoggedIn(self) def getName(self): return self.name def playsRole(self, role): return (role in self.roles) def __str__(self): return "<User %s>" % self.name class AccessPolicy: """ Sets role-based access policy for individual pages. """ def __init__(self, db): self.db = db def getRoleForPage(self, page): return self.db.get(page, None) -- Regards, max.

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Tracy S. Ruggles <tracy@re...> - 2003-05-12 13:41 Not sure if this relates or not, but have you seen Sandbox.py? http://www.procoders.net/download.php?fname=SandBox.py It wraps any object (class/module/function/etc.) with a security proxy and then will execute code in a "sandbox" without affecting other parts of the system. I haven't used it in production yet, but have considered it for our own mini-CMS as a way to offer a safe way to add scripting objects into our system. --T On Monday, May 12, 2003, at 07:11 AM, Max Ischenko wrote: >> We've been working on some account-kit type code (we hope to >> contribute >> the results of this account stuff to the Sandbox soon) and I whomped >> up >> this security experiment. > >> My idea was to use the new "metaclass" feature in concert with some of >> its the new low-level methods to implement read, write, execute >> security >> on the sub-object (attribute) level. Then, an application level class >> (like a CMS object) could inherit from this security class and have >> easy/transparent security. > >> The code is fairly elementary, and the security tests it is doing are >> not interesting (just a look up table) but we'd appreciate the >> collective wisdom and comments of this group. > >> This will probably only work in Python 2.2. > >> Stuff we're interested in: >> - is this likely to be future-proof with python's evolution? >> - is this a good/stupid idea? >> - did someone do this already in a mature package? >> - any ideas for more interesting/useful credential system? >> - anything else you may care to add > > IMHO, embedding credential system into data classes is solving the > wrong > problem. Security policy should operate on quite different (and higher) > level instead of controlling access to object's bits. "code access > security" feels mostly like a marketing buzzword to me. > > Take a look at .NET architecture, for example. They have both "code > access security" (to protect you from running malicious code from > Internet) AND role-based security framework which provides identity, > authentication and authrization. May be you could steal some good ideas > from there, like I did for my last Webware project. > > I've built simple role-based security when access to a web page is > granted based on user's credentials and access policy for that page > (thru the config file). Code excerpts are given below. > > > class UserManager: > > def __init__(self, store): > self.users = [] > self.store = store > def isLoggedIn(self, user): > return user in self.users > def logInUser(self, name, password, address): > def getUserInfo(self, name): > > class UserInfo: > > def __init__(self, userinfo): > def getRoles(self): > def getPassword(self): > def containsAddress(self, address): > > class User: > > """ > Represents a user of the system. > > A user is identified by it's name, authenticated by password and can > "play" one or more "roles". > > Users are managed by the L{UserManager}. > """ > > def __init__(self, mgr, name, roles=[]): > self.mgr = mgr > self.name = name > self.roles = roles > def isLoggedIn(self): > return self.mgr.isLoggedIn(self) > def getName(self): > return self.name > def playsRole(self, role): > return (role in self.roles) > def __str__(self): > return "<User %s>" % self.name > > class AccessPolicy: > > """ > Sets role-based access policy for individual pages. > """ > > def __init__(self, db): > self.db = db > def getRoleForPage(self, page): > return self.db.get(page, None) > > > > > -- > Regards, max. > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux enterprise > solutions > http://www.enterpriselinuxforum.com > > _______________________________________________ > Webware-discuss mailing list > Webware-discuss@... > https://lists.sourceforge.net/lists/listinfo/webware-discuss >

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Matt Feifarek <matt@da...> - 2003-05-15 20:34 Terrel Shumway wrote: >"credential" is a term normally used in *authentication* -- verifying that an >actor is who he claims to be. > >What we are dealing with is *authorization* -- verifying that the authenticated >user is allowed to perform a particular action on a particular object. >"permission" and "access control list" are more appropriate names. > > Excellent point. I agree completely. >There is no shorcut. Any authorization problem reduces eventually to a boolean >function of three elements. > > 1) the actor > 2) the action > 3) the recipient (acted upon) > >Whether that function is defined in code or in a table, it still has to exist. > > Thanks for your additional comments on this matter; I agree with you. My partner and I have been around and around on how to "hide" this logic, and which part of the system should handle it. Your clear description should be useful for our discussion. > >

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Matt Feifarek <matt@da...> - 2003-05-15 20:47 Max Ischenko wrote: >IMHO, embedding credential system into data classes is solving the wrong >problem. Security policy should operate on quite different (and higher) >level instead of controlling access to object's bits. "code access >security" feels mostly like a marketing buzzword to me. > > We've been running a system for a year or so that chiefly has page-level security. We also use the Ww actions() code to define roles/actions, but it's been somewhat unsatisfactory. I agree that code-level security is most often moot, but I figured if it could be that low-level, it could also be higher level. Rather than controlling a given CMS object, one could control a collection of them or something like that. I'm not interesting in buzzwords, and wasn't even aware that .NET was doing that. I'm trying to make it so servlets don't have to deal with security when retrieving/painting/editing objects. >I've built simple role-based security when access to a web page is >granted based on user's credentials and access policy for that page >(thru the config file). Code excerpts are given below. > >class User: > > """ > Represents a user of the system. > > A user is identified by it's name, authenticated by password and can > "play" one or more "roles". > > Users are managed by the L{UserManager}. > """ > > def __init__(self, mgr, name, roles=[]): > self.mgr = mgr > self.name = name > self.roles = roles > def isLoggedIn(self): > return self.mgr.isLoggedIn(self) > def getName(self): > return self.name > def playsRole(self, role): > return (role in self.roles) > def __str__(self): > return "<User %s>" % self.name > > Where is self.roles() and what does it look like? (if you don't mind me asking) Seems like you fundamentally have a lookup table that corresponds to users and pages; I need finer control than that. But thanks for the lead; I'll look up the .NET stuff.

Re: [Webware-discuss] RFC: experiment class with attribute-level security From: Max Ischenko <max@ma...> - 2003-05-16 07:10 > >IMHO, embedding credential system into data classes is solving the wrong > >problem. Security policy should operate on quite different (and higher) > >level instead of controlling access to object's bits. "code access > >security" feels mostly like a marketing buzzword to me. > We've been running a system for a year or so that chiefly has page-level > security. We also use the Ww actions() code to define roles/actions, but > it's been somewhat unsatisfactory. YMMV. I had really simple site stucture and it works fine. > I'm not interesting in buzzwords, and wasn't even aware that .NET was > doing that. I'm trying to make it so servlets don't have to deal with > security when retrieving/painting/editing objects. You could move that code into ancestor class (SitePage), so that every servlet automatically would have this functionality like this: def respond(self, trans): self.checkAccessPermissions() Page.respond(self, trans) def checkAccessPermissions(self): name = self.name() role = accesspolicy.getRoleForPage(name) if role: log.debug('Page %s requires role %s', name, role) user = self.getCurrentUser() if not user: self.logIn(role) if not user.isLoggedIn(): self.logIn(role) if not user.playsRole(role): log.debug('User %s not a %s', user.getName(), role) self.logIn(role) log.info("Grant access to %s for %s", name, user.getName()) def getCurrentUser(self): return self.session().value('user', None) def logIn(self, role): uri = self.request().uri() self.setSessionValue('loginbackpage', uri) self.setSessionValue('loginrole', role) self.forward('Login') > >I've built simple role-based security when access to a web page is > >granted based on user's credentials and access policy for that page > >(thru the config file). Code excerpts are given below. > >class User: > > def __init__(self, mgr, name, roles=[]): > > self.mgr = mgr > > self.name = name > > self.roles = roles > > def isLoggedIn(self): > > return self.mgr.isLoggedIn(self) > > def getName(self): > > return self.name > > def playsRole(self, role): > > return (role in self.roles) > Where is self.roles() and what does it look like? (if you don't mind me > asking) I had Store class which constructs UserInfo instances from the .ini file. That class contains necessarily information and is used by UserManager to create User. class UserInfo: def __init__(self, userinfo): # userinfo is a python dict self.roles = self.parseList(userinfo, 'roles') self.domains = self.parseList(userinfo, 'domains') self.password = userinfo.get('password', '') > Seems like you fundamentally have a lookup table that corresponds to > users and pages; I need finer control than that. But thanks for the > lead; I'll look up the .NET stuff. -- Regards, max.

1 message has been excluded from this view by a project administrator.