Hi Chris > Hi all, i am new to acegi security framework and i wonder how > you handle instance level permission ( the doc illustrates > role based and owner-owned based permission) when someone has > a permission on a specific instance.
As I know the SF archives are a bit unreliable, I'll include below an answer I gave last week on something similar: > > Question 2: > > How can I implement "dynamic" security ? > > For example to allow access to the owner of an object > (owner is dynamic). > > Any object should be able to enforce its own internal > security by using > ContextHolder.getContext().getAuthentication(). A preferable (more > decoupled) approach would be to have an ObjectOwnerDao that > includes a public Principal getOwnerOf(Object object) method. > You then write an AccessDecisionVoter that detects any object > passed as an argument to the secure method invocation. It > would use ObjectOwnerDao to find out which principal owns the > object. It would then compare that owning principal with the > current calling principal and throw an exception or proceed > as appropriate. There are several other ways of doing a > similar thing (eg just lookup the owner from the object > directly [you'd have to ensure the caller couldn't just > change the principal on the object, perhaps by making the > property immutable], have a different AccessDecisionVoter for > each class etc). > Also, is there any plan to support sso without using CAS, i > believe in a simple case when one has multiple webapps under > the same domain, a cookie based sso could be easily > implemented, using CAS in this case is a bit overkill i believe. I considered writing a home-grown SSO solution, but in reality SSO is an area in which there can be many obscure security risks and requirements (kiosk machines, browser caching, proxy tickets, user confirmation before auto login etc). CAS has been developed since 2001 and as such has both the project maturity and community to address these: http://www.yale.edu/tp/cas/HISTORY.server. As CAS is just another WAR file, it is very easy to deploy and customise with your own L&F etc. I really can't envisage being able to write a "simpler" SSO WAR with similar capabilities. The only disadvantage of CAS is it requires HTTPS on the CAS server, although there are good reasons for this in terms of secure ticket validation and user login. You're more than welcome to develop your own SSO solution, and Acegi Security can easily support it, but I can't see any real reason not to use the excellent and proven CAS project. Best regards Ben ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Acegisecurity-developer mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/acegisecurity-developer
