Webapplications and ACL's. Best practice
Thomas Grabietz
we're planning a web-application with JSF and Hibernate. Now we're
looking for a appropriate framework to use ACL's in our application
which supports the JSP/Hibernate architecture . It must be able to
manage groups and CRUD-rights. How are your experiences?
Kind regards
Tom
Wojtek
Every page (function) has a unique right. The rights are gathered into
roles specific to a single (and constrained) job. User's can have
multiple roles.
IE:
Role - Clerk
Role - Clerk Supervisor
These are two separate roles with no overlapping rights. So a clerk
supervisor would need to have both roles.
Every page hit compares the user's role set with the page's right. The
role sets are also compared to menu items, so a user only sees what
they have the rights to see. The user's role set is kept in the session
and is NEVER exposed outside of the application.
Thusly a user can hand type a URL, but if the page's right is not
within his/her role set, the request is bounced to the home page with
an error message.
Changes to a role (editing rights) and/or changes to a user's role set
are done dynamically by scanning all sessions and updating affected
user's role sets.
So a user can get TO an editing page, then find out they cannot commit
the changes because an admin modyfied the right/role.
All the roles and user role sets are persisted in a DB and encrypted,
so an enterpsising DBA cannot simply give himself rights.
Note that this MUST be planned out BEFORE you code a single line. It
must be part of the fabric of the application.'
And finally, there is a page which edits/creates new roles, available
only the the admin role.
--
Wojtek :-)