RE: [CFCDev] OO Security?

Tue, 08 Mar 2005 11:04:17 -0800

Okay, I follow.  It does break encapsulation if check for the existance of a session variable ... it doesn't break encapsulation if you pass the session.userObject to the method so that it is working with a userObject.  This would obviously require your anonymous account which actually makes a lot of sense in that you can give rights to an unknown user.

Thanks
-- Jeff
From: "Roland Collins" <[EMAIL PROTECTED]>
Sent: Tuesday, March 08, 2005 12:50 PM
To: [email protected]
Subject: RE: [CFCDev] OO Security?

The user token is just a unique identifier in our system.  Under the covers, it corresponds to a user’s unique id in our database structure, but the end-user never needs to know that.  The identifier is actually returned from a call to “AuthenticationManager.loginUser(username, userPassword)” and then just passed around the system.  We could completely change what the user token is and what it corresponds to without ever touching our components just by changing the AuthenticationManager component.

 

Every user on our system has a session, even anonymous users, so checking for a session does not work on our system.  We have an actual “Anonymous” account to which a user gets assigned to before he logs in.  This allows us to grant rights to anonymous users, which is very helpful in a truly dynamic environment.  Not to mention, it breaks encapsulation if the AuthenticationManager needs to know that there is even such a thing as a session.

 

Roland

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GroupOne Dev.
Sent: Tuesday, March 08, 2005 1:27 PM
To: [email protected]
Subject: RE: [CFCDev] OO Security?

 

This is along the lines of what I was saying.  However, it goes one step further by refactoring and pulling that common functionality out of each object and putting it in a central place which is always a good thing.

One question - what is the user token?  Could the authentication manager not check for a user's session?  If the session variable does not exist, they are not logged in.  If the session variable does exist, but they don't have the right 'right', then an exception is thrown.  Or, does this token do something else?

Thanks
-- Jeff

From: "Roland Collins" <[EMAIL PROTECTED]>
Sent: Tuesday, March 08, 2005 11:49 AM
To: [email protected]
Subject: RE: [CFCDev] OO Security?

All of our objects require a user token to be passed in and they then perform their own access checks using our Authentication manager component.  The authentication manager throws an “AuthenticationException” if the user does not have the appropriate level of access, and this gets logged, kicked to our error handler, or whatever else we need to do. It winds up looking like this (in broken code, anyway).

 

<cfobject name=”SomeObject”>

 

<cffunction name=”getAccountBalance”>

            <cfargument name=”userToken”>

            <cfargument name=”accountNumber”>

 

            <cfset var accountBalance = 0>

 

            <cfinvoke component=”AuthenticationManager” method=”checkUserAccess”>

                        <cfinvokeargument name=”userToken” value=”#arguments.userToken#”>

                        <cfinvokeargument name=”requiredRight” value=”NameOfRequiredRight”>

            </cfinvoke>

           

            <cfdotheprocessinghere>

 

            <cfreturn accountBalance>

</cffunction>

 

 

</cfobject>

 

HTH,

Roland


Reply via email to