> Thanks for replying Matt.
> I'm using a security interceptor and have authentication working fine.
> My question is around authorization and NOT going back and forth to
> the database to those checks.
> I perhaps didn't explain my question well enough. I'm interested in
> seeing examples of how others are storing the roles and permissions
> for an authenticated user and THEN subsequently checking
> authorization.
> For example in most Transfer based applications, the user object has
> the roles and permissions attached.
> On Fri, Nov 6, 2009 at 11:53 AM, Matt Quackenbush <quackfu...@gmail.com> wrote:
> > I'm not sure what examples you're referring to, but the basic premise is the
> > same whether you use an ORM or not.
> > 1) You have a User object that represents the requesting user
> > 2) You have a Security Interceptor that fires and checks to see if the event
> > should be restricted based upon security rules
> > 3) If 'yes' to #2, you have a Security Service (or some such object) that
> > checks the requesting User's credentials against the database and the
> > security rule(s) in place. If the User is authorized the request proceeds
> > as normal. If not, the request is redirected to your login event or error
> > event or whatever event you have established in the configs.
> > HTH
> --
> Bill Tindal
> web ::http://www.fantasysportsstar.com
> skype :: dbloh7
> email :: malp...@gmail.com
|
