Roles and Permissions without Transfer
12 views
Skip to first unread message
Bill Tindal
Nov 5, 2009, 7:34:25 PM11/5/09
to col...@googlegroups.com
I'm working on setting up roles and permissions in my application.
I do not use Transfer and as most examples rely on the 'ORM'
functionality to attach roles and permissions to a user identity I'm
wondering if there are any examples out there of other ways to do it?
cheers,
--
Bill Tindal
web :: http://www.fantasysportsstar.com
skype :: dbloh7
email :: mal...@gmail.com
Matt Quackenbush
Nov 5, 2009, 7:53:56 PM11/5/09
to col...@googlegroups.com
I'm not sure what examples you're referring to, but the basic premise is the same whether you use an ORM or not.
1) You have a User object that represents the requesting user
2) You have a Security Interceptor that fires and checks to see if the event should be restricted based upon security rules
3) If 'yes' to #2, you have a Security Service (or some such object) that checks the requesting User's credentials against the database and the security rule(s) in place. If the User is authorized the request proceeds as normal. If not, the request is redirected to your login event or error event or whatever event you have established in the configs.
HTH
1) You have a User object that represents the requesting user
2) You have a Security Interceptor that fires and checks to see if the event should be restricted based upon security rules
3) If 'yes' to #2, you have a Security Service (or some such object) that checks the requesting User's credentials against the database and the security rule(s) in place. If the User is authorized the request proceeds as normal. If not, the request is redirected to your login event or error event or whatever event you have established in the configs.
HTH
Bill Tindal
Nov 5, 2009, 8:10:12 PM11/5/09
to col...@googlegroups.com
Thanks for replying Matt.
I'm using a security interceptor and have authentication working fine.
My question is around authorization and NOT going back and forth to
the database to those checks.
I perhaps didn't explain my question well enough. I'm interested in
seeing examples of how others are storing the roles and permissions
for an authenticated user and THEN subsequently checking
authorization.
For example in most Transfer based applications, the user object has
the roles and permissions attached.
I'm using a security interceptor and have authentication working fine.
My question is around authorization and NOT going back and forth to
the database to those checks.
I perhaps didn't explain my question well enough. I'm interested in
seeing examples of how others are storing the roles and permissions
for an authenticated user and THEN subsequently checking
authorization.
For example in most Transfer based applications, the user object has
the roles and permissions attached.
Sana
Nov 5, 2009, 8:16:59 PM11/5/09
to ColdBox Platform
Hi Bill Tindal,
Coldbox have sample security application with transfer.
Check coldbox samples "securitysample"
http://www.coldboxframework.com/index.cfm/download/beta
Thanks
> email :: malp...@gmail.com
Coldbox have sample security application with transfer.
Check coldbox samples "securitysample"
http://www.coldboxframework.com/index.cfm/download/beta
Thanks
Matt Quackenbush
Nov 5, 2009, 8:43:58 PM11/5/09
to col...@googlegroups.com
Correct. And that was the point in my reply: whether or not you use an ORM, the process is essentially identical. An ORM simply has those methods already built into the object for you.
Reply all
Reply to author
Forward
0 new messages