[ http://jira.andromda.org/browse/SPRING-97?page=comments#action_12041 ]
Kiran Keshav commented on SPRING-97:
------------------------------------
Hello Peter,
correct me if I am wrong but the way it stands now with modelling actors is:
1) if you want to use role based voting, you must draw a dependency from actor
ROLE_USER and actor ROLE_ADMIN (the current andromda acegi implementation does
not support ignoring of the prefix ROLE) to each of the services in the model.
2) if you would like to use 'Access Control Lists' (ACLs), you would then have
to specify another actor and draw dependencies from this actor to each of the
methods of interest. When using access control lists, you will not want to use
role based voting, so you will actually have to go back to the actors ROLE_USER
and ROLE_ADMIN and add a dependency to each method individually so you can
avoid having:
foo.bar.fooBarService.updateFooBar=ROLE_USER, ROLE_ADMIN, ACL_FOOBAR_EDIT
what you actually want is:
foo.bar.fooBarService.updateFooBar=ACL_FOOBAR_EDIT
3) similarly, for all other methods you would like to specify acl constraints
on you would have to define actors and draw dependencies to each of them.
4) again, I could be wrong but from what I can tell the acl voters to process
these processConfigAttribute[s] are not generated so you would have to manually
define one for each of these actors. Along with this you would have to make
sure the property "processDomainObjectClass" (the target domain object you are
trying to get authorization on) is set to the correct domain object.
Is there an alternative?
Kind Regards,
Kiran
> Create methods in the serviceSecurityInterceptor from objects with a
> "Service" stereotype and add a tagged value for the processConfigAttribute
> -----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: SPRING-97
> URL: http://jira.andromda.org/browse/SPRING-97
> Project: Spring Cartridge
> Type: New Feature
> Versions: 3.1RC1
> Reporter: Kiran Keshav
> Assignee: Peter Friese
> Attachments: SpringMetafacadeModel.xml.zip, patch.txt
>
> Add functionality to create all methods in the serviceSecurityInterceptor
> based on methods in a service (objects modelled with a "Service" stereotype).
> Add a tagged value to set the processConfigAttribute on each of these
> methods (ie. ACL_FOOBAR_EDIT). This tagged value will be part of the
> WebServiceOperation stereotype.
> eg.
> <bean id="serviceSecurityInterceptor"
> class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
> <property name="authenticationManager"><ref
> bean="authenticationManager"/></property>
> <property name="accessDecisionManager"><ref
> local="businessAccessDecisionManager"/></property>
> <property name="afterInvocationManager"><ref
> local="afterInvocationManager"/></property>
> <property name="objectDefinitionSource">
> <value>
> foo.bar.FooBarService.getAllFooBars=user, admin
> foo.bar.FooBarService.updateFooBar=ACL_FOOBAR_EDIT
> foo.bar.FooBarService.removeFooBar=ACL_FOOBAR_DELETE
> </value>
> </property>
> </bean>
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
