Re: [smartweb-devel] Requirements for auth module
Brought to you by:
rlogiacco
Menu
▾
▴
Re: [smartweb-devel] Requirements for auth module
|
From: rlogiacco <rlo...@us...> - 2007-05-11 11:39:04
|
rlogiacco wrote: > > 1. users and groups should be threated in a similar manner being > interchangeable; > 2. the administrator must be able to tell the module "allow user/group X > to operate in the role Y only if the function operates on object of type Z > and id N [ and current time is between 8am and 6pm ]" with the last part > optional and customizable; > 3. permissions and rules should be customizable through a configuration > file without intervention into the code, allowing a method level > granularity similarly to the EJB security constraints; > 4. users are stored by default on database, but other sources for datas > (LDAP for example) should be configurable; > 5. no constraints between the auth module datas and other modules to allow > deployment on separate databases; > 6. no class constraints and no requirements on the classes using the > module: as stated before the security constraint should be activatable at > configuration time (AOP should be the solution); > 7. customizability both of authentication process and authorization > process like "no logins for users in role X between 8pm and 8am" or > "disallow requests to function F if more than 5 users already logged" > through custom classes and configuration; > 8. ability to load balance the module with the web application; > 9. ability to check credentials both on presentation tier "show this field > only if user is authorized" and on business tier "allow this operation > only if user is authorized" > 10. support for distributed presentation and business tiers (on two or > more servers) and implicit transmission of credentials (needs integration > with JAAS) > > Have I forgot something? > Yes, I forgot to mention the anonymous user: we should define a constant referencing the non authenticated users, also known as guest or anonymous. With this constant we can easily avoid NullPointerExceptions and uncessary code branchings I think. If you get any ideas, please submit them! -- View this message in context: http://www.nabble.com/Requirements-for-auth-module-tf3513039s17546.html#a10430270 Sent from the SmartWeb Developers mailing list archive at Nabble.com. |
