Hi Nathan, I think the idea is really good, it is what I was trying to have as standard in a web app; I'll look at the tutorial and let you know.
Thanks a lot Francesco Nathan Anderson <[EMAIL PROTECTED]> wrote: Hi Francesco, I agree that ACL is a bit heavy for most apps. That's why I came up with an idea of an OwnerVoter--where access is granted if the user is the "owner" of an object. I also have another voter that compares a method value of the authenticated user to a method value of the object. This has many potential uses, but it was created to allow access if the object is owned by someone in the same "group" as the authenticated user. I haven't applied this to an AppFuse 2.x application yet, but I did make a tutorial for how to do it in AppFuse 1.8. Take a look at this tutorial and see if you can apply the same concepts. http://raibledesigns.com/wiki/Wiki.jsp?page=AppFuseSecurityMethods2 The tutorial is written as a step-by-step. So you will need to figure out the why's and how's to really make it make sense. Feel free to ask if you have specific questions after looking at the tutorial. Nathan ----- Original Message ----- From: "frantuma" To: [email protected] Sent: Thursday, April 26, 2007 8:48:56 AM (GMT-0800) America/Los_Angeles Subject: [appfuse-user] Sort of Acegi domain object security Hi, I have some troubles understanding how the following scenario is to be handled in appfuse: I believe the scenario is a typical need of a web app, and I was wondering what is the best way to handle it. Let's say that (from Acegi reference..): Imagine you're designing an application for a pet clinic. There will be two main groups of users of your Spring-based application: staff of the pet clinic, as well as the pet clinic's customers. The staff will have access to all of the data, whilst your customers will only be able to see their own customer records. Which is the best way to achieve globally the above goal, specifically: your customers will only be able to see their own customer records. Using the appfuse Person tutorial as an example, I need that a call to PersonAction.list() populates its persons list only with the persons related to the currently logged in user, and to allow editing of a given person only to the user "owning" this person (a person would have a user field, meaning that a user has a list of Persons; persons could actually be the list of contacts of the user). In the appfuse tutorial personList.jsp creates links to editPerson.html passing person.id as parameter. PersonAction.edit() simply loads the property corresponding to the id, with acegi configuration taking care of authorization making sure the logged in user has ADMIN or USER roles. But it seems to me that if someone logs in as userA an then sends a GET to editPerson.html with any personId, there is no mechanism implemented which checks that the person.id is "owned" by userA and thus can be edited by him. Without this mechanism userA can get access to all persons and generally to data of all other users. To avoid this - and to have personList display all person if the user is ADMIN and only persons belonging to the user if the user has only role USER - I think I understand that ACEGI suggests either writing custom code to enforce security by checking every time SecurityContextHolder.getContext().getAuthentication().getPrincipal(), or using ACL mechanisms. Is there any suggested best way to achieve the above? or do I miss something... Thanks Francesco -- View this message in context: http://www.nabble.com/Sort-of-Acegi-domain-object-security-tf3652387s2369.html#a10202904 Sent from the AppFuse - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
