object based security (owner)

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

object based security (owner)

kcolassi
Hi Folks,

I want to create a web site data model whereby... whatever a user creates... they own.

And when they come back to the website to operate again... they will see only what they own.

Its not as much as page based security as it is object based security... as in model object.

Are there annotations available or mechanisms within tapestry-security to perform this in one hit so I can just put it at the top of my class (an annotation) or page and operate only on what the owner created ?

Thanks
     
Best regards and thanks
Ken
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Jens Breitenstein
Hi Ken!

this sounds more like a "persistence" question, to be honest. How do you
store / persist the user data?


Jens


Am 15.03.14 06:44, schrieb Ken in Nashua:

> Hi Folks,
>
> I want to create a web site data model whereby... whatever a user creates... they own.
>
> And when they come back to the website to operate again... they will see only what they own.
>
> Its not as much as page based security as it is object based security... as in model object.
>
> Are there annotations available or mechanisms within tapestry-security to perform this in one hit so I can just put it at the top of my class (an annotation) or page and operate only on what the owner created ?
>
> Thanks
>    


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

bhorvat
I could be missing something, but isn't this a database question? how to
model your tables and relationships between them?

I dont see this as being tapestry related question to be honest


On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein <[hidden email]>wrote:

> Hi Ken!
>
> this sounds more like a "persistence" question, to be honest. How do you
> store / persist the user data?
>
>
> Jens
>
>
> Am 15.03.14 06:44, schrieb Ken in Nashua:
>
>> Hi Folks,
>>
>> I want to create a web site data model whereby... whatever a user
>> creates... they own.
>>
>> And when they come back to the website to operate again... they will see
>> only what they own.
>>
>> Its not as much as page based security as it is object based security...
>> as in model object.
>>
>> Are there annotations available or mechanisms within tapestry-security to
>> perform this in one hit so I can just put it at the top of my class (an
>> annotation) or page and operate only on what the owner created ?
>>
>> Thanks
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
Sincerely
*Boris Horvat*
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Lance Java
Boris, you're not missing anything. 10% of what Ken posts to the tapestry
mailing list is related to tapestry... The other 90% is off topic :)
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

JumpStart
In reply to this post by bhorvat
In my world this distinction is often referred to as "data rights" vs.
"function rights".

Function rights can indeed be handled by restricting access to pages and
components with annotations and sometimes a bit of conditional logic in the
template. It's up to you whether you check function rights in the business
tier too.

Data rights however are tricky. You have to check every request and be very
careful what's in every response, particularly list responses. However, in
my experience the range of checks needed to determine whether a user has
the data rights for a given request is usually very small. Eg. you get the
user from the session and decide:

- Does the thing being requested belong to them?
- Or more usually, are they in the department that owns what's being
requested?
- Can the user update things in their department or only read them?

In the web tier you could create a Tapestry service, say DataRightsChecker,
inject it when it's needed, and have a method for each of the likely
checks. In most web requests you'll probably find that you need to call
only one or two methods and you're done. The service can return a really
nasty error if it fails - there's no need to be nice because the user
should not be in that situation unless they've hacked the URL. Ensure that
normal site behaviour never takes them into a situation where they lack the
function or data rights.

Again, it's up to you whether you check data rights in the business tier
too. It's also up to you whether you go the whole hog and set up data
rights in the database itself.


On 15 March 2014 21:36, Boris Horvat <[hidden email]> wrote:

> I could be missing something, but isn't this a database question? how to
> model your tables and relationships between them?
>
> I dont see this as being tapestry related question to be honest
>
>
> On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein <[hidden email]
> >wrote:
>
> > Hi Ken!
> >
> > this sounds more like a "persistence" question, to be honest. How do you
> > store / persist the user data?
> >
> >
> > Jens
> >
> >
> > Am 15.03.14 06:44, schrieb Ken in Nashua:
> >
> >> Hi Folks,
> >>
> >> I want to create a web site data model whereby... whatever a user
> >> creates... they own.
> >>
> >> And when they come back to the website to operate again... they will see
> >> only what they own.
> >>
> >> Its not as much as page based security as it is object based security...
> >> as in model object.
> >>
> >> Are there annotations available or mechanisms within tapestry-security
> to
> >> perform this in one hit so I can just put it at the top of my class (an
> >> annotation) or page and operate only on what the owner created ?
> >>
> >> Thanks
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
>
> --
> Sincerely
> *Boris Horvat*
>
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Kalle Korhonen-2
There's also http://tynamo.org/tapestry-security-jpa+guide that has
annotations and works at the entity level - it's JPA only at the moment.

Kalle


On Sat, Mar 15, 2014 at 5:22 AM, Geoff Callender <
[hidden email]> wrote:

> In my world this distinction is often referred to as "data rights" vs.
> "function rights".
>
> Function rights can indeed be handled by restricting access to pages and
> components with annotations and sometimes a bit of conditional logic in the
> template. It's up to you whether you check function rights in the business
> tier too.
>
> Data rights however are tricky. You have to check every request and be very
> careful what's in every response, particularly list responses. However, in
> my experience the range of checks needed to determine whether a user has
> the data rights for a given request is usually very small. Eg. you get the
> user from the session and decide:
>
> - Does the thing being requested belong to them?
> - Or more usually, are they in the department that owns what's being
> requested?
> - Can the user update things in their department or only read them?
>
> In the web tier you could create a Tapestry service, say DataRightsChecker,
> inject it when it's needed, and have a method for each of the likely
> checks. In most web requests you'll probably find that you need to call
> only one or two methods and you're done. The service can return a really
> nasty error if it fails - there's no need to be nice because the user
> should not be in that situation unless they've hacked the URL. Ensure that
> normal site behaviour never takes them into a situation where they lack the
> function or data rights.
>
> Again, it's up to you whether you check data rights in the business tier
> too. It's also up to you whether you go the whole hog and set up data
> rights in the database itself.
>
>
> On 15 March 2014 21:36, Boris Horvat <[hidden email]> wrote:
>
> > I could be missing something, but isn't this a database question? how to
> > model your tables and relationships between them?
> >
> > I dont see this as being tapestry related question to be honest
> >
> >
> > On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein <
> [hidden email]
> > >wrote:
> >
> > > Hi Ken!
> > >
> > > this sounds more like a "persistence" question, to be honest. How do
> you
> > > store / persist the user data?
> > >
> > >
> > > Jens
> > >
> > >
> > > Am 15.03.14 06:44, schrieb Ken in Nashua:
> > >
> > >> Hi Folks,
> > >>
> > >> I want to create a web site data model whereby... whatever a user
> > >> creates... they own.
> > >>
> > >> And when they come back to the website to operate again... they will
> see
> > >> only what they own.
> > >>
> > >> Its not as much as page based security as it is object based
> security...
> > >> as in model object.
> > >>
> > >> Are there annotations available or mechanisms within tapestry-security
> > to
> > >> perform this in one hit so I can just put it at the top of my class
> (an
> > >> annotation) or page and operate only on what the owner created ?
> > >>
> > >> Thanks
> > >>
> > >>
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >
> > >
> >
> >
> > --
> > Sincerely
> > *Boris Horvat*
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

JumpStart
In reply to this post by JumpStart
Oops, I said "The service can return a really nasty error if it fails - there's no need to be nice because the user should not be in that situation unless they've hacked the URL." What I should have said is that if the user does not even have read rights to the requested item then the service can return nothing, acting as if the requested item does not exist.

On 15/03/2014, at 11:22 PM, Geoff Callender wrote:

> In my world this distinction is often referred to as "data rights" vs. "function rights".
>
> Function rights can indeed be handled by restricting access to pages and components with annotations and sometimes a bit of conditional logic in the template. It's up to you whether you check function rights in the business tier too.
>
> Data rights however are tricky. You have to check every request and be very careful what's in every response, particularly list responses. However, in my experience the range of checks needed to determine whether a user has the data rights for a given request is usually very small. Eg. you get the user from the session and decide:
>
> - Does the thing being requested belong to them?
> - Or more usually, are they in the department that owns what's being requested?
> - Can the user update things in their department or only read them?
>
> In the web tier you could create a Tapestry service, say DataRightsChecker, inject it when it's needed, and have a method for each of the likely checks. In most web requests you'll probably find that you need to call only one or two methods and you're done. The service can return a really nasty error if it fails - there's no need to be nice because the user should not be in that situation unless they've hacked the URL. Ensure that normal site behaviour never takes them into a situation where they lack the function or data rights.
>
> Again, it's up to you whether you check data rights in the business tier too. It's also up to you whether you go the whole hog and set up data rights in the database itself.
>
>
> On 15 March 2014 21:36, Boris Horvat <[hidden email]> wrote:
> I could be missing something, but isn't this a database question? how to
> model your tables and relationships between them?
>
> I dont see this as being tapestry related question to be honest
>
>
> On Sat, Mar 15, 2014 at 10:41 AM, Jens Breitenstein <[hidden email]>wrote:
>
> > Hi Ken!
> >
> > this sounds more like a "persistence" question, to be honest. How do you
> > store / persist the user data?
> >
> >
> > Jens
> >
> >
> > Am 15.03.14 06:44, schrieb Ken in Nashua:
> >
> >> Hi Folks,
> >>
> >> I want to create a web site data model whereby... whatever a user
> >> creates... they own.
> >>
> >> And when they come back to the website to operate again... they will see
> >> only what they own.
> >>
> >> Its not as much as page based security as it is object based security...
> >> as in model object.
> >>
> >> Are there annotations available or mechanisms within tapestry-security to
> >> perform this in one hit so I can just put it at the top of my class (an
> >> annotation) or page and operate only on what the owner created ?
> >>
> >> Thanks
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
>
> --
> Sincerely
> *Boris Horvat*
>

Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

JumpStart
In reply to this post by Kalle Korhonen-2
Very nice.

On 16/03/2014, at 3:00 AM, Kalle Korhonen wrote:

> There's also http://tynamo.org/tapestry-security-jpa+guide that has
> annotations and works at the entity level - it's JPA only at the moment.
>
> Kalle
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: object based security (owner)

kcolassi
In reply to this post by kcolassi
Thanks Kalle, thats the answer I was seeking.

Which persistence Service wold in order to ORM o MySQL ?

Does that JPA construct do it itself somehow like javabeans or can I use the existing hibernate persistence service that comes with your suite ?

Thanks for the solution, appreciate that.
Ken
     
Best regards and thanks
Ken
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Dmitriy Vsekhvalnov
is tapestry-security-jpa provides filtering data support? E.g. when i
execute .list() operation with query can it apply filter based on owner or
other rule?
like Hibernate filters?


On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua <[hidden email]> wrote:

> Thanks Kalle, thats the answer I was seeking.
>
> Which persistence Service wold in order to ORM o MySQL ?
>
> Does that JPA construct do it itself somehow like javabeans or can I use
> the existing hibernate persistence service that comes with your suite ?
>
> Thanks for the solution, appreciate that.
> Ken
>
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Kalle Korhonen-2
In reply to this post by kcolassi
On Tue, Mar 18, 2014 at 6:08 AM, Ken in Nashua <[hidden email]> wrote:

> Thanks Kalle, thats the answer I was seeking.
> Which persistence Service wold in order to ORM o MySQL ?
> Does that JPA construct do it itself somehow like javabeans or can I use
> the existing hibernate persistence service that comes with your suite ?
>
>
I've explained this in the guide, but it works with JPA only and is a
facade for EntityManager.

Kalle
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Kalle Korhonen-2
In reply to this post by Dmitriy Vsekhvalnov
On Tue, Mar 18, 2014 at 7:43 AM, Dmitriy Vsekhvalnov <[hidden email]
> wrote:

> is tapestry-security-jpa provides filtering data support? E.g. when i
> execute .list() operation with query can it apply filter based on owner or
> other rule?
> like Hibernate filters?
>

No, this is meant strictly for securing data instances based on their
association with the currently executing subject. There's no concept for
filtering and there's no need to explicitly apply a filter based on owner.

Kalle



> On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua <[hidden email]> wrote:
>
> > Thanks Kalle, thats the answer I was seeking.
> >
> > Which persistence Service wold in order to ORM o MySQL ?
> >
> > Does that JPA construct do it itself somehow like javabeans or can I use
> > the existing hibernate persistence service that comes with your suite ?
> >
> > Thanks for the solution, appreciate that.
> > Ken
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Dmitriy Vsekhvalnov
Kalle, do you mean it works only for traversing object graph? (sorry i
probably have to check myself before asking stupid questions).


On Tue, Mar 18, 2014 at 8:31 PM, Kalle Korhonen
<[hidden email]>wrote:

> On Tue, Mar 18, 2014 at 7:43 AM, Dmitriy Vsekhvalnov <
> [hidden email]
> > wrote:
>
> > is tapestry-security-jpa provides filtering data support? E.g. when i
> > execute .list() operation with query can it apply filter based on owner
> or
> > other rule?
> > like Hibernate filters?
> >
>
> No, this is meant strictly for securing data instances based on their
> association with the currently executing subject. There's no concept for
> filtering and there's no need to explicitly apply a filter based on owner.
>
> Kalle
>
>
>
> > On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua <[hidden email]>
> wrote:
> >
> > > Thanks Kalle, thats the answer I was seeking.
> > >
> > > Which persistence Service wold in order to ORM o MySQL ?
> > >
> > > Does that JPA construct do it itself somehow like javabeans or can I
> use
> > > the existing hibernate persistence service that comes with your suite ?
> > >
> > > Thanks for the solution, appreciate that.
> > > Ken
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: object based security (owner)

Kalle Korhonen-2
On Tue, Mar 18, 2014 at 10:02 AM, Dmitriy Vsekhvalnov <
[hidden email]> wrote:

> Kalle, do you mean it works only for traversing object graph? (sorry i
> probably have to check myself before asking stupid questions).
>


Yes. It checks that a security principal of the currently executing subject
matches with the id of the configured association (e.g. "owner") of the
entity that's being operated on.

Kalle



> On Tue, Mar 18, 2014 at 8:31 PM, Kalle Korhonen
> <[hidden email]>wrote:
>
> > On Tue, Mar 18, 2014 at 7:43 AM, Dmitriy Vsekhvalnov <
> > [hidden email]
> > > wrote:
> >
> > > is tapestry-security-jpa provides filtering data support? E.g. when i
> > > execute .list() operation with query can it apply filter based on owner
> > or
> > > other rule?
> > > like Hibernate filters?
> > >
> >
> > No, this is meant strictly for securing data instances based on their
> > association with the currently executing subject. There's no concept for
> > filtering and there's no need to explicitly apply a filter based on
> owner.
> >
> > Kalle
> >
> >
> >
> > > On Tue, Mar 18, 2014 at 5:08 PM, Ken in Nashua <[hidden email]>
> > wrote:
> > >
> > > > Thanks Kalle, thats the answer I was seeking.
> > > >
> > > > Which persistence Service wold in order to ORM o MySQL ?
> > > >
> > > > Does that JPA construct do it itself somehow like javabeans or can I
> > use
> > > > the existing hibernate persistence service that comes with your
> suite ?
> > > >
> > > > Thanks for the solution, appreciate that.
> > > > Ken
> > > >
> > >
> >
>