Re: Intercept web request before a event is called for Security Permission checks

Fri, 16 Feb 2007 13:05:29 -0800
One way or another each service, screen, etc should be responsible for its own security (so that no matter how it is used the security doesn't get skipped or left out). 


We are moving more towards de-coupling security to make it more  
modular and easier to re-use, but still having it right in an  
implementation is an okay (though not ideal) approach.


-David


On Feb 16, 2007, at 1:30 PM, Anil Patel wrote:


David,
This came to mind when I was working on
ShoppingCartEvents::ShoppingCartEvents method.

This method has Security check code in it. At first Glance I didn't  
like it.



Is it Ok to to have Security checks code compiled into a class. I  
am not

sure if there are more instances of similar thing.

I will appreciate comments on it from you.

Anil Patel







On 2/15/07, David E. Jones <[EMAIL PROTECTED]> wrote:



The best thing to do is use an actual event for this, which may mean
chaining to another request for security check pass/fail.

Generally though there isn't page routing for security checks, but
rather a change in a view and/or event that shows a message or
whatever. In other words, the security checks in services and screens
are the main touch points.

Is there a more specific case where this has come up?

-David


On Feb 15, 2007, at 2:02 PM, Anil Patel wrote:

> Hi,

> Ofbiz Services security model allows us to intercept a call to  
service

> before the actual service executed. On similar lines Do we have a
> way to

> intercept a Web Request for Security Check before the Event or  
view is

> rendered, Something like
>
>    <request-map uri="orderentry">
>        <security https="true" auth="true"/>

>        <permission-service service- 
name="orderEntryGenericPermission"

> action="Create" error-view="PermissionErrorScreen" />
>        <event type="java" path="
> org.ofbiz.order.shoppingcart.ShoppingCartEvents"
> invoke="routeOrderEntry"/>
>        <response name="init" type="view" value="checkinits"/>
>        <response name="agreements" type="view"
> value="orderagreements"/>
>        <response name="cart" type="view" value="showcart"/>
>        <response name="error" type="view" value="checkinits"/>
>    </request-map>
>
> Thanks and Regards
> Anil Patel








Attachment:
smime.p7s

Description: S/MIME cryptographic signature














    











					Reply via email to