class instance authorization

DocZorg
2007-11-24
2013-05-08
  • DocZorg
    DocZorg
    2007-11-24

    Hello!

    I saw there was a post on this a couple of year ago, and I was wandering if there was any support for this in jGuard now.

    It is a feature that I will need.

    I found this article done by IBM which would exactly match my needs (http://www-128.ibm.com/developerworks/java/library/j-jaas/), has anybody ever implemented such a solution with jGuard? Any other way? Any ideas?

    Have a nice day!
    Neil.

     
    • Charles Lescot
      Charles Lescot
      2007-11-26

      Hi,
      this feature is already implemented in jGuard.
      it is called in the jGuard reference manual 'Contextual permissions'.
      to illustrate that the feature has already been implemented, we can look towards the challenge proposed by the article with this sentence :
      - "Any registered (authenticated) user can create an auction but only the user who created the auction may modify it."

      this sentence can be divided into 2 assertions:
      "Any registered (authenticated) user can create an auction"
      => any user authenticated will have a 'basic_role' which will contain a permission to create an auction.
      we can create a URLPermission or JSFPermission called 'createAuction' and link this permission to the 'basic_role'
      "but only the user who created the auction may modify it"
      => we can add in the role 'basic_role' a 'contextual' permission which will refer to the auction creator.
      for example:
      new URLPermission("modifyAuction","/modifyAuction.do?creator=${subject.privateCredentials.login}");
      => each user will have only an URLPermission resolved specifically for its user (the permission will be resolved at runtime specifically based on the 'login' user credential) .

      so, jguard permits 'class instance-level authorization' in the sense of this article.

      hope it helps,

      Charles.