Application-Level Security

[Yagiz Erkan]

Hi all,

I'm just starting to have a look at Kara. One question I had in mind is about security. How would you implement application-level security? Does it have to be completely custom or are you planning to add extensions to make such an implementation easier?

Thanks,

[Andy Selvig]

I'm actually working on a middleware layer for Kara right now. This will allow you to inject code right into the request pipeline to add whatever application-level features you'd like. We'll provide a simple http authentication middleware implementation, but you'd be able to get more complicated from there if you were interested. 

--
You received this message because you are subscribed to the Google Groups "Kara Framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to karaframewor...@googlegroups.com.
To post to this group, send email to karafr...@googlegroups.com.
Visit this group at http://groups.google.com/group/karaframework?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Yagiz Erkan]

Hi Andy,

Thanks for the prompt response.

That sounds like a good plan. It is more than likely to be a requirement if I use Kara in a professional setting. Especially if I use it to build a RESTful service layer. 

Thanks again and keep up the good work. 

Regards. 

 - Yagiz -

[Andy Selvig]

No problem, let me know if you have any other questions.

For anyone else interested, the initial implementation of the middleware functionality is in Github, I just haven't implemented any built-in middleware yet. The related docs are here:

http://karaframework.com/docs/middleware.html

[Hadi Hariri]

Would it be worth extending the route to allow for regex? Scenarios where you'd want for instance all routes except 2 or 3 to be excluded. Alternative of course is to filter these out in the actual middleware with access to routing info...

[Hadi Hariri]

Flip-side is that any regex parsing is going to most likely impact performance...

[Maxim Shafirov]

I'd go for simple prefix mapping. Like "match all under /admin" 

[Andy Selvig]

Yes, the prefix mapping is the way it is currently. I thought about doing something more complicated (even put a TODO next to the filter matching implementation), but I didn't know at the time what the best solution would be, and figured this would cover 99% of the use cases. Like you said, Hadi, a simple string comparison is much quicker than a regex. 

[Yagiz Erkan]

I think it's perfectly acceptable to have a simple solution that satisfies the mostly encountered use cases. The key is to have an extension mechanism to satisfy the remaining ones. 

 - Yagiz -