Re: ROP security

Thu, 16 May 2013 17:47:04 -0700 

On 17/05/13 1:01am, John Huss wrote:

Here's some code we started on to do this kind of thing.  It never made it
to production, but it was close.  This just defines some methods that can
be overridden to implement security based on your specific requirements.

https://www.dropbox.com/s/g247uxpalps5xse/AuthHessianService.java


Thanks that very interesting.




One thing I have found cumbersome is inspecting SelectQuery objects to
figure out what they are - because SelectQuery.getRoot() returns plain
Object you have to screw around to figure out what it really is.  Also
inspecting the qualifier is a little difficult, but generally that's not a
great idea anyway - better to just add things to the qualifier even if it
results in duplicate clauses.



In my case I also want to prevent users from deleting objects they should not 
be able to. So I can deal with that with a mixture of validation rules in the 
entities themselves and preventing SQLtemplate from being able to be used from 
the client.


Ari





John

On Wed, May 15, 2013 at 6:49 PM, Aristedes Maniatis <a...@ish.com.au> wrote:


We have a ROP Cayenne application we'd like to lock down a bit more
tightly. In particular, in a situation where we don't trust the client
application hasn't been hacked, we'd like to restrict certain activity from
the client. I'm thinking of:

1. preventing SQLTemplate/EJBQL queries completely
2. adding entity listeners to catch certain write behaviour (we can't do a
lot about reading data since that's easy to do at the controller level, on
the client, but pretty hard to construct rules at the model level on the
server)
3. creating 'partial' object entities which are missing some attributes.
Sort of hollow, but only hollow on some attributes.


Has anyone attempted anything similar to the above? (2) should be easy
enough, but not sure about the other requirements.


Cheers
Ari




--
-------------------------->
Aristedes Maniatis
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A





--
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

Reply via email to