[prev in list] [next in list] [prev in thread] [next in thread]
List: barracuda
Subject: RE: [Barracuda] Access Control List pattern?
From: PMERGAER () janbe ! jnj ! com
Date: 2003-05-19 17:24:07
[Download RAW message or body]
We have overriden a standard controlhandler which also checks wether or not
a user i allowed to 'execute' an event. Every event has it's list of allowed
roles mapped in an xml file. Our apps use that control event to implement
the code.
We're using WebLogic with a custom security realm. M$ Active Directory is
used for authentication and our securityrealm maps the user with the
J2EERole.
The business logic EJB's (SSB & CMP) are also protected with the same J2EE
roles. We check the security twice, once on web level and once on business
level (not every client is a webclient, can be another process).
Tomcat also suipport the Servlet api req.isUserInRole(role), but I have no
idea that you can implement a custom security provider.
This is a sample of the base control event.
public final void handleControlEvent(ControlEventContext context) throws
EventException, ServletException, IOException {
ActivityInterface api = null;
try {
WorkFlowContext wfc = new BarracudaWorkFlowContext(context);
Activity a = (Activity)context.getEvent();
api =
getActivityInterfaceFactory(context).createInterfaceForActivity(a);
api.bind(wfc);
ActivityDescriptor ad=
api.getWorkFlowManager().getActivityXmlParser(a.getAppContext(),
wfc).getActivityDescriptor(a);
if(!ad.isAccessibleForCurrentUser(context.getRequest())) {
throw new GeneralFailureException("User " + api.getUserName() +
" is not authorized for the activity " + ad.getActivityName() + ".");
}
doControlPreCondition(api);
doHandleControlEvent(api);
doControlPostCondition(api);
} catch (ClientSideRedirectException re) {
throw re;
} catch (Exception e) {
// Display standard error page by putting a SystemErrorEvent on the
queue
log.error(e.getClass().getName() + ":" + e.getMessage(), e);
throw new InterruptDispatchException(
"handleControlEvent " + this.getClass().getName(),
new SystemErrorEvent(context.getEvent(), e),
e);
}
}
Regards,
Merg
-----Original Message-----
From: Barr Bill P [mailto:Bill.P.Barr@irs.gov]
Sent: Monday, 19 May 2003 18:53
To: 'barracuda@barracudamvc.org'
Subject: [Barracuda] Access Control List pattern?
Is there a general use pattern and implementation for user authorization
everyone uses with Barracuda? The example HR application in the Barracuda
vs. Struts paper is close to what I would like to do.
I was hoping to be able to use an LDAP server to store my ACLs, but I can
only use it for authentication purposes. This leaves me to implement my own
access control list in the database which will determine which users have
access to which applications and how much of each application they can use.
I have a couple of ideas for implementing and checking for groups/roles and
finer-grained priviledges, but I would like to read some of the group
wisdom. Any anecdotes, opinions, don't-do-this's and war stories would be
appreciated.
Thanks, in advance!
Bill
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<TITLE>Access Control List pattern?</TITLE>
<META content="MSHTML 5.50.4611.1300" name=GENERATOR></HEAD>
<BODY>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080 size=2>We
have overriden a standard controlhandler which also checks wether or not a user
i allowed to 'execute' an event. Every event has it's list of allowed roles
mapped in an xml file. Our apps use that control event to implement the
code.</FONT></SPAN></DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=380451417-19052003>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080 size=2>We're
using WebLogic with a custom security realm. M$ Active Directory is used for
authentication and our securityrealm maps the user with the
J2EERole.</FONT></SPAN></DIV></SPAN></DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080 size=2>The
business logic EJB's (SSB & CMP) are also protected with the same J2EE
roles. We check the security twice, once on web level and once on business level
(not every client is a webclient, can be another process).</FONT></SPAN></DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2>Tomcat also suipport the Servlet api req.isUserInRole(role), but I have
no idea that you can implement a custom security provider.</FONT></SPAN></DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma size=2></FONT></SPAN><SPAN
class=380451417-19052003><FONT face=Tahoma color=#008080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080 size=2>This
is a sample of the base control event.</FONT></SPAN></DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2>public final void handleControlEvent(ControlEventContext context) throws
EventException, ServletException, IOException
{<BR> ActivityInterface api =
null;<BR> try
{<BR> WorkFlowContext wfc = new
BarracudaWorkFlowContext(context);<BR> \
Activity a =
(Activity)context.getEvent(); <BR> \
api =
getActivityInterfaceFactory(context).createInterfaceForActivity(a);<BR> \
api.bind(wfc);
<BR> ActivityDescriptor ad=
api.getWorkFlowManager().getActivityXmlParser(a.getAppContext(),
wfc).getActivityDescriptor(a);<BR>
if(!ad.isAccessibleForCurrentUser(context.getRequest()))
{<BR> throw
new GeneralFailureException("User " + api.getUserName() + " is not authorized
for the activity " + ad.getActivityName() +
".");<BR>
}<BR>
doControlPreCondition(api);<BR>
doHandleControlEvent(api);<BR>
doControlPostCondition(api);<BR> } catch
(ClientSideRedirectException re)
{<BR> throw
re;<BR> } catch (Exception e)
{<BR> // Display standard error
page by putting a SystemErrorEvent on the
queue<BR>
log.error(e.getClass().getName() + ":" + e.getMessage(),
e);<BR> throw new
InterruptDispatchException(<BR> \
"handleControlEvent " +
this.getClass().getName(),<BR> \
new SystemErrorEvent(context.getEvent(),
e),<BR>
e);<BR> }<BR> }</FONT></SPAN></DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2>Regards,</FONT></SPAN></DIV>
<DIV><SPAN class=380451417-19052003><FONT face=Tahoma color=#008080
size=2>Merg</FONT></SPAN></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #008080 2px solid; \
MARGIN-RIGHT: 0px"> <DIV class=OutlookMessageHeader dir=ltr align=left><FONT \
face=Tahoma size=2>-----Original Message-----<BR><B>From:</B> Barr Bill P
[mailto:Bill.P.Barr@irs.gov]<BR><B>Sent:</B> Monday, 19 May 2003
18:53<BR><B>To:</B> 'barracuda@barracudamvc.org'<BR><B>Subject:</B>
[Barracuda] Access Control List pattern?<BR><BR></FONT></DIV>
<P><FONT size=2>Is there a general use pattern and implementation for user
authorization everyone uses with Barracuda? The example HR application in the
Barracuda vs. Struts paper is close to what I would like to do.</FONT></P>
<P><FONT size=2>I was hoping to be able to use an LDAP server to store my
ACLs, but I can only use it for authentication purposes. This leaves me to
implement my own access control list in the database which will determine
which users have access to which applications and how much of each application
they can use.</FONT></P>
<P><FONT size=2>I have a couple of ideas for implementing and checking for
groups/roles and finer-grained priviledges, but I would like to read some of
the group wisdom. Any anecdotes, opinions, don't-do-this's and war stories
would be appreciated.</FONT></P>
<P><FONT size=2>Thanks, in advance!</FONT> </P>
<P><FONT size=2>Bill</FONT> </P></BLOCKQUOTE></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic