[smartweb-devel] Scoped authorizations are really needed?
Brought to you by:
rlogiacco
Menu
▾
▴
[smartweb-devel] Scoped authorizations are really needed?
|
From: rlogiacco <rlo...@us...> - 2007-09-27 15:26:26
|
I'm wondering if we really need to define scopes into the auth module so first of all we should define what we intend for scopes... In my idea scopes are the resources over which a certain permission is given. Say the user foo is binded to the docmanager role which grants the permission to access the deleteDocument() method. Imagine each document is contained into a folder, so each document has an association (1..*) to a folder... As a sys admin I wish to say the user foo can be a docmanager only on docs contained into a specific folder set (folders A, B and C for example) excluding that privilege for any folder not listed. Actually, to provide such fine grained control on a privilege, we have to write a custom AuthorizationHandler (say DocumentFolderHandler) binded to the privilege then, using informations binded to the user's properties (or the group ones) we should check if the informations match during the authorization phase. A less programmatic approach, like something based on a configuration script, could be a better solution? Let's start discussion and listen your suggestions... -- View this message in context: http://www.nabble.com/Scoped-authorizations-are-really-needed--tf4529064s17546.html#a12923516 Sent from the SmartWeb Developers mailing list archive at Nabble.com. |
