Basically, yes. The resource that we are protecting is called a
"KnowledgeBase". Each KnowledgeBase is owned by a particular user.
The owner has the ability to share that KB with any other user - giving
them read, write, or admin permissions. So this information is all
stored in a relational database. Something like this (this is just to
convey the idea..I'd have to go look at our code and schema to make
sure it's fully functional):
KB[name, owner]
kb1, jared
kb2, alex
KBDelegations[kbName,rights,delegate]
kb1, read, alex
kb2, admin, jared
So the doGetAuthorizationInfo in our realm will do SQL queries against
these tables, and build up the permission list dynamically (pardon the
pseudocode):
for kbName in (SELECT name from KB where owner=userName)
addPermission("knowledgebase:" + kbName + ":delete")
addPermission("knowledgebase:" + kbName + ":query")
addPermission("knowledgebase:" + kbName + ":ingest")
addPermission("knowledgebase:" + kbName + ":configure")
for kbName, rights in (SELECT kbName, rights from KB where
delegate=userName)
if("admin".equals(rights))
addPermission("knowledgebase:" + kbName + ":delete")
addPermission("knowledgebase:" + kbName + ":query")
addPermission("knowledgebase:" + kbName + ":ingest")
addPermission("knowledgebase:" + kbName + ":configure")
else if("read").equals(rights))
addPermission("knowledgebase:" + kbName + ":query")
else if("write").equals(rights))
addPermission("knowledgebase:" + kbName + ":query")
addPermission("knowledgebase:" + kbName + ":ingest")
Obviously, we use caching so that every permission query isn't hitting
the database, but this is the general gist of it. We have a domain
model (knowledgebases, owners, delegates) and we map it to permissions
that certain functionality in our codebase requires (there's actually a
good number more permissions that get added, but I think this conveys
the idea).
-Jared
On Wed 21 Nov 2012 01:50:42 AM CST, Alex opn wrote:
> Jared, what do you mean by "generated from our domain model"? Do you
> mean that you don't have the permissions saved in the database and
> instead generate them at login / startup? I have to decide soon which
> way to go for my application and so I'm interested in the possible
> approaches.
