Role-Based Authorization using AOP
88 views
Skip to first unread message
Jrad
Aug 3, 2010, 6:22:02 AM8/3/10
to jquery-claypool
Hi again dear Chris,
To satisfy authorized access to controller methods, we are using
'around' filters. My question is if we can use "willcards" in the
filter target. (e.g. target: "LBD.Controllers.*")
And to pass our role-based permissions object to the views we also
need a 'before' filter on all view classes.
I'd be happy if you have any ideas around the technique we are
applying to application authorization.
To satisfy authorized access to controller methods, we are using
'around' filters. My question is if we can use "willcards" in the
filter target. (e.g. target: "LBD.Controllers.*")
And to pass our role-based permissions object to the views we also
need a 'before' filter on all view classes.
I'd be happy if you have any ideas around the technique we are
applying to application authorization.
Jrad
Aug 3, 2010, 7:05:44 AM8/3/10
to jquery-claypool
Let's make a clarification:
If our wilcard before filter extends the views' model parameter with
the permissions object, then view objects will be able to render
permitted actions (in hijax:routes) and this is a minimum
authorization.
but I'm not sure if we need the around filter on controllers' methods
to "double-check" the authorized access to actions!
A limitation in a wilcard around filter is that we have not access to
the runtime. I mean the controller and method names currently being
filtered!
If our wilcard before filter extends the views' model parameter with
the permissions object, then view objects will be able to render
permitted actions (in hijax:routes) and this is a minimum
authorization.
but I'm not sure if we need the around filter on controllers' methods
to "double-check" the authorized access to actions!
A limitation in a wilcard around filter is that we have not access to
the runtime. I mean the controller and method names currently being
filtered!
chris thatcher
Aug 3, 2010, 9:38:00 AM8/3/10
to jquery-...@googlegroups.com
Its true this is a limitation of the wild card filters. Normally The wildcard on targets is used in combination with a naming pattern:
id : "#contentNegotiationFilter",
target : "MyApp.Controllers.*",
around : "(secure.*)",
advice : function(invocation){
would only be applied to controller methods beginning with "secure".
That said, I could see the utility of having a "target" and "method" property being made available in the aop filters so that when they are executed the filter author has access to these values.
Would that help your use case?
Thatcher
--
Christopher Thatcher
id : "#contentNegotiationFilter",
target : "MyApp.Controllers.*",
around : "(secure.*)",
advice : function(invocation){
would only be applied to controller methods beginning with "secure".
That said, I could see the utility of having a "target" and "method" property being made available in the aop filters so that when they are executed the filter author has access to these values.
Would that help your use case?
Thatcher
--
You received this message because you are subscribed to the Google Groups "jquery-claypool" group.
To post to this group, send email to jquery-...@googlegroups.com.
To unsubscribe from this group, send email to jquery-claypo...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/jquery-claypool?hl=en.
--
Christopher Thatcher
Jrad
Aug 3, 2010, 11:38:47 AM8/3/10
to jquery-claypool
That would be nice to have runtime information under "target" and
"method" properties. I'd appreciate it Chris.
Thank you
On Aug 3, 5:38 pm, chris thatcher <thatcher.christop...@gmail.com>
wrote:
> > jquery-claypo...@googlegroups.com<jquery-claypool%2Bunsubscribe@ googlegroups.com>
> > .
"method" properties. I'd appreciate it Chris.
Thank you
On Aug 3, 5:38 pm, chris thatcher <thatcher.christop...@gmail.com>
wrote:
> > .
chris thatcher
Aug 11, 2010, 11:44:21 AM8/11/10
to jquery-...@googlegroups.com
This work is complete and will be bundled with the release early next week. Here is an example:
$.filters([{
id : "#requestResponseParamFilter",
target : "Bigtable.Services.*",
before : "([a-z]*)",
advice : function(event){
log = log||$.logger('Bigtable.Filters');
log.debug('introspection details for filter are in this.literal \n %s ', JSON.stringify(this.literal));
}
}])
would log:
introspection details for filter are in this.literal
"literal": {
"scope": "Bigtable.Services",
"object": "Site",
"method": [
"home",
"admin",
"geocodes",
"find",
"play"
]
}
you should be able to determine exactly what function you are in using those details.
Thatcher
--
Christopher Thatcher
$.filters([{
id : "#requestResponseParamFilter",
target : "Bigtable.Services.*",
before : "([a-z]*)",
advice : function(event){
log = log||$.logger('Bigtable.Filters');
log.debug('introspection details for filter are in this.literal \n %s ', JSON.stringify(this.literal));
}
}])
would log:
introspection details for filter are in this.literal
"literal": {
"scope": "Bigtable.Services",
"object": "Site",
"method": [
"home",
"admin",
"geocodes",
"find",
"play"
]
}
you should be able to determine exactly what function you are in using those details.
Thatcher
To unsubscribe from this group, send email to jquery-claypo...@googlegroups.com.
--
Christopher Thatcher
Jrad
Aug 12, 2010, 2:25:54 AM8/12/10
to jquery-claypool
Nice to hear from you Chris!
How can we determine exactly what function we are in using those
details?
On Aug 11, 6:44 pm, chris thatcher <thatcher.christop...@gmail.com>
wrote:
> > > > jquery-claypo...@googlegroups.com<jquery-claypool%2Bunsu...@googlegroups.com>
How can we determine exactly what function we are in using those
details?
On Aug 11, 6:44 pm, chris thatcher <thatcher.christop...@gmail.com>
wrote:
> > <jquery-claypool%2Bunsubscribe@ googlegroups.com>
> > > > .
> > > > For more options, visit this group at
> > > >http://groups.google.com/group/jquery-claypool?hl=en.
>
> > > --
> > > Christopher Thatcher
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "jquery-claypool" group.
> > To post to this group, send email to jquery-...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > jquery-claypo...@googlegroups.com<jquery-claypool%2Bunsu...@googlegroups.com>
> > > > .
> > > > For more options, visit this group at
> > > >http://groups.google.com/group/jquery-claypool?hl=en.
>
> > > --
> > > Christopher Thatcher
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "jquery-claypool" group.
> > To post to this group, send email to jquery-...@googlegroups.com.
> > To unsubscribe from this group, send email to
chris thatcher
Aug 12, 2010, 9:46:40 AM8/12/10
to jquery-...@googlegroups.com
Actually you are right, its not sufficient. I'll back that out and try a different approach which is hopefully even simpler.
Thatcher
--
Christopher Thatcher
Thatcher
To unsubscribe from this group, send email to jquery-claypo...@googlegroups.com.
--
Christopher Thatcher
chris thatcher
Aug 17, 2010, 11:09:31 PM8/17/10
to jquery-...@googlegroups.com
So I spent a lot of time wrestling with this, and really looking at what AOP intends to provide architecturally as a pattern. Without saying it's not possible (it may be, but could be expensive), I'm wondering if you had a use case that illustrates why this feature would be useful?
The general use of AOP as a pattern usually implies that the filters business logic has no dependencies on the specific component of a collection of components it has been assigned to cut across. I'm interested in the use case so I can understand your needs better.
Thanks,
Thatcher--
Christopher Thatcher
The general use of AOP as a pattern usually implies that the filters business logic has no dependencies on the specific component of a collection of components it has been assigned to cut across. I'm interested in the use case so I can understand your needs better.
Thanks,
Thatcher
Christopher Thatcher
Jrad
Aug 18, 2010, 6:00:38 AM8/18/10
to jquery-claypool
We are implementing a navigation controller with AOP. This means a
filter cross cuts "after" all
controller methods and tries to capture the returned value from
controller (which in case
would be a memento callback). Navigation filter puts the memento
callback in it's history for later recall.
Here we need to associate a name to our action! So by convention we
decided to use the point cut method name.
for example: "#contactController.list" as: "List Contacts"
In our case, I don't believe our cross cutting concern is depended on
point cuts, but also needs a meta information about them.
One possible workaround here is to return an 'id' OR 'name' from each
controller method via our memento. This way we could have the meta-inf
in our filter, BUT we would be changing our controllers code to
achieve this which is against the AOP philosophy of decoupled
concerns!
On Aug 18, 6:09 am, chris thatcher <thatcher.christop...@gmail.com>
wrote:
> >> <jquery-claypool%2Bunsu...@googlegroups.com<jquery-claypool%252Buns...@googlegroups.com>
filter cross cuts "after" all
controller methods and tries to capture the returned value from
controller (which in case
would be a memento callback). Navigation filter puts the memento
callback in it's history for later recall.
Here we need to associate a name to our action! So by convention we
decided to use the point cut method name.
for example: "#contactController.list" as: "List Contacts"
In our case, I don't believe our cross cutting concern is depended on
point cuts, but also needs a meta information about them.
One possible workaround here is to return an 'id' OR 'name' from each
controller method via our memento. This way we could have the meta-inf
in our filter, BUT we would be changing our controllers code to
achieve this which is against the AOP philosophy of decoupled
concerns!
On Aug 18, 6:09 am, chris thatcher <thatcher.christop...@gmail.com>
wrote:
> So I spent a lot of time wrestling with this, and really looking at what AOP
> intends to provide architecturally as a pattern. Without saying it's not
> possible (it may be, but could be expensive), I'm wondering if you had a use
> case that illustrates why this feature would be useful?
>
> The general use of AOP as a pattern usually implies that the filters
> business logic has no dependencies on the specific component of a collection
> of components it has been assigned to cut across. I'm interested in the use
> case so I can understand your needs better.
>
> Thanks,
> Thatcher
>
> On Thu, Aug 12, 2010 at 9:46 AM, chris thatcher <
>
>
>
> thatcher.christop...@gmail.com> wrote:
> > Actually you are right, its not sufficient. I'll back that out and try a
> > different approach which is hopefully even simpler.
>
> > Thatcher
>
> intends to provide architecturally as a pattern. Without saying it's not
> possible (it may be, but could be expensive), I'm wondering if you had a use
> case that illustrates why this feature would be useful?
>
> The general use of AOP as a pattern usually implies that the filters
> business logic has no dependencies on the specific component of a collection
> of components it has been assigned to cut across. I'm interested in the use
> case so I can understand your needs better.
>
> Thanks,
> Thatcher
>
> On Thu, Aug 12, 2010 at 9:46 AM, chris thatcher <
>
>
>
> thatcher.christop...@gmail.com> wrote:
> > Actually you are right, its not sufficient. I'll back that out and try a
> > different approach which is hopefully even simpler.
>
> > Thatcher
>
>
> >> > > <jquery-claypool%2Bunsubscribe@ googlegroups.com>
> >> > > > > .
> >> > > > > For more options, visit this group at
> >> > > > >http://groups.google.com/group/jquery-claypool?hl=en.
>
> >> > > > --
> >> > > > Christopher Thatcher
>
> >> > > --
> >> > > You received this message because you are subscribed to the Google
> >> Groups
> >> > > "jquery-claypool" group.
> >> > > To post to this group, send email to jquery-...@googlegroups.com
> >> .
> >> > > To unsubscribe from this group, send email to
> >> > > jquery-claypo...@googlegroups.com<jquery-claypool%2Bunsu...@googlegroups.com>
> >> <jquery-claypool%2Bunsu...@googlegroups.com<jquery-claypool%252Buns...@googlegroups.com>
> >> > > <jquery-claypool%2Bunsubscribe@ googlegroups.com>
> >> > > > > .
> >> > > > > For more options, visit this group at
> >> > > > >http://groups.google.com/group/jquery-claypool?hl=en.
>
> >> > > > --
> >> > > > Christopher Thatcher
>
> >> > > --
> >> > > You received this message because you are subscribed to the Google
> >> Groups
> >> > > "jquery-claypool" group.
> >> > > To post to this group, send email to jquery-...@googlegroups.com
> >> .
> >> > > To unsubscribe from this group, send email to
> >> > > jquery-claypo...@googlegroups.com<jquery-claypool%2Bunsu...@googlegroups.com>
>
> >> > > .
> >> > > For more options, visit this group at
> >> > >http://groups.google.com/group/jquery-claypool?hl=en.
>
> >> > --
> >> > Christopher Thatcher
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "jquery-claypool" group.
> >> To post to this group, send email to jquery-...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> jquery-claypo...@googlegroups.com<jquery-claypool%2Bunsu...@googlegroups.com>
> >> .
> >> For more options, visit this group at
> >>http://groups.google.com/group/jquery-claypool?hl=en.
>
> > --
> > Christopher Thatcher
>
> --
> Christopher Thatcher> >> > > .
> >> > > For more options, visit this group at
> >> > >http://groups.google.com/group/jquery-claypool?hl=en.
>
> >> > --
> >> > Christopher Thatcher
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "jquery-claypool" group.
> >> To post to this group, send email to jquery-...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> jquery-claypo...@googlegroups.com<jquery-claypool%2Bunsu...@googlegroups.com>
> >> .
> >> For more options, visit this group at
> >>http://groups.google.com/group/jquery-claypool?hl=en.
>
> > --
> > Christopher Thatcher
>
> --
Jrad
Aug 18, 2010, 6:34:13 AM8/18/10
to jquery-claypool
Dear Chirs,
Let me clarify this subject. Our first attempt on AOP was Role-Based
Athorization and the second usage was a navigation manager.
I believe in both cases we need the point cut meta-information. In the
role-based athorization, the filter clearly should know the controller
and method name, to check if that method is authorized in the user's
permission table.
I also explained the navigation use case above.
Finally, I don't see this as an abnormal case, you may have seen the
Spring AOP interfaces like:
http://static.springsource.org/spring/docs/2.0.x/api/org/springframework/aop/AfterReturningAdvice.html#afterReturning%28java.lang.Object,%20java.lang.reflect.Method,%20java.lang.Object[],%20java.lang.Object%29
Which passes the target object and method to the advice!
I just beg your pordon, since I was not clear in my first post.
Let me clarify this subject. Our first attempt on AOP was Role-Based
Athorization and the second usage was a navigation manager.
I believe in both cases we need the point cut meta-information. In the
role-based athorization, the filter clearly should know the controller
and method name, to check if that method is authorized in the user's
permission table.
I also explained the navigation use case above.
Finally, I don't see this as an abnormal case, you may have seen the
Spring AOP interfaces like:
http://static.springsource.org/spring/docs/2.0.x/api/org/springframework/aop/AfterReturningAdvice.html#afterReturning%28java.lang.Object,%20java.lang.reflect.Method,%20java.lang.Object[],%20java.lang.Object%29
Which passes the target object and method to the advice!
I just beg your pordon, since I was not clear in my first post.
chris thatcher
Aug 18, 2010, 10:56:04 AM8/18/10
to jquery-...@googlegroups.com
Understood. I have a much clearer idea of the use case and spent some more time looking at the internals of the implementation early this morning and think I may have a solution. Thanks for the clear illustration, it helps frame the problem for me.
Thatcher
--
Christopher Thatcher
Thatcher
To unsubscribe from this group, send email to jquery-claypo...@googlegroups.com.
--
Christopher Thatcher
Reply all
Reply to author
Forward
0 new messages