Security roles

15 views
Skip to first unread message

Lucas Anastasiou

unread,
Apr 10, 2012, 9:42:36 AM4/10/12
to widge...@googlegroups.com
Hello all,

I started implementing security roles using apache shiro.
This includes a many to many relation of user to roles (a user can
hold multiple roles),
inserting some test roles for start (admin, tester, moderator, guest)
and as a test an extra link 'delete widget' to appear only for admins

So implementing access control is (would be) performed using:

if (currentUser.hasRole(“administrator”)){

//execute the privileged action

}else {

//show message you are not privileged to do this

}


or by using the jsp tag

<shiro:hasRole name="admin">
<!-- privilleged content goes here -->
</shiro:hasRole>

What do you think?
What roles shall we include in there? What kind of operations shall be
secured in this way?

Best,
Lucas

p.s.
Also I was thinking that we can secure our REST api using the same
way: for secure operations (e.g. delete widget) request must be
executed including an API key which would be associated with a user ->
from that retrieve the user -> check if user is allowed to do this

Scott Wilson

unread,
Apr 20, 2012, 1:40:52 PM4/20/12
to widge...@googlegroups.com

On 10 Apr 2012, at 14:42, Lucas Anastasiou wrote:

> Hello all,
>
> I started implementing security roles using apache shiro.
> This includes a many to many relation of user to roles (a user can
> hold multiple roles),
> inserting some test roles for start (admin, tester, moderator, guest)
> and as a test an extra link 'delete widget' to appear only for admins
>
> So implementing access control is (would be) performed using:
>
> if (currentUser.hasRole(“administrator”)){
>
> //execute the privileged action
>
> }else {
>
> //show message you are not privileged to do this
>
> }
>
>
> or by using the jsp tag
>
> <shiro:hasRole name="admin">
> <!-- privilleged content goes here -->
> </shiro:hasRole>
>
> What do you think?
> What roles shall we include in there? What kind of operations shall be
> secured in this way?

Still catching up after the holidays here :)

This is a great start Lucas. So far I haven't really thought of roles beyond "user" and "admin", though having "moderator" sounds useful for spreading the burden of some of the day-to-day community management tasks on a live site - this is something we have to support for ITEC.

Reply all
Reply to author
Forward
0 new messages