Take a look at the Acegi Security project. It provides *extremely*
powerful declarative security capabilities, upto and including filtering
database query results to exclude things the current user shouldn't be
able to see. It might be exactly what you're looking for.
L.
Raghu Kanchustambham wrote:
Hi,
I could successfully place my authentication scheme in place using the
article at
http://www.jroller.com/comments/tomdz?anchor=using_jaas_with_struts_a
I also could place "resource" level authorization in place. However the
definition of resource is the "traditional" action mapping. However I have a
requirement which goes beyond that. I have a centre based roles. Let us say
my application could be used by administrators at three centres. The trick
is that all of them can view the set of "resources"... but in a particular
JSP they are authorized to use only certain values for some of the fields.
For example, a Hyderabad administrator can view reports pertaining to
Hyderabad only and should not be allowed to see reports of Bangalore centre.
Which let us say in UI terms would translate to a dropdown of cities .. for
the Bangalore administrator... he probably can see the dropdown populate
with Bangalore... the Hyderabad admin sees it populated only with Hyderabad
and a HeadOffice admin sees all the cities in the cities dropdown.
What is the best way to achieve this?
One approach is to create a separate role for each centre user. For
example... have a role called Bangalore_Admin and Hyderabad_Admin etc. But
obvious drawback is that this approach won't scale well with the increase in
the number of centres.
The other approach I was thinking is writing code myself. Introduce a
column for centre in the user table. From the
request.getUserPrincipal().getName()
funcion I determine the user... hit the database to determine the centre and
then filter the cities based on the city and the role.
I don't like this approach because I have lost the advantages of a
declarative style of defining security permissions. Also, now my
authorization code would be mixed allover and would be difficult to change
the authorization policies on a later date.
The third approach is similar to the second one. Instead of defining a
centre at the user level, I could do it at the user_role mapping level.
User1 is the administrator of Hyderabad centre. He could be a regular user
for another centre (say Bangalore). Slightly better than second approach but
suffers from similar problems.
Is there a way that my getUserPrincipal() can be made to give me this extra
piece of information about the centre? That would make my code look lot
cleaner. I dont have to hit back the database just to find the centre.
Please comment.
Thanks much.
Regards,
Raghu
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
