cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrus Adamchik <and...@objectstyle.org>
Subject Re: security
Date Wed, 31 Jan 2007 15:05:14 GMT
Hi Carl,

To be honest a few ROP projects that I've done used all-or-nothing  
security (if you are authenticated, you can do anything). Still I've  
been also thinking about more fine-grained approach. My solution  
would be to set up a custom 'org.apache.cayenne.DataChannel'  
decorator, adding custom security checks to 'onQuery()' and 'onSync'  
methods. In the simplest case, you can have the following security  
levels:

1. Restricted: only NamedQuery requests are honored, 'onSync' is denied.
2. Read-only: onQuery() allows all but SQLTemplate queries, 'onSync'  
is denied.
3. Full
4. Custom - check custom rules.

Also I haven't yet explored the use of the new 3.0 callbacks as a  
security mechanism, probably there are some opportunities there:

http://cayenne.apache.org/preview/CAYDOC/lifecycle-callbacks.html

Andrus


On Jan 31, 2007, at 4:23 PM, Carl Mosca wrote:

> I am wondering about security (user, query, role level).  What  
> approaches
> have been taken by those using ROP for a some time?
>
> TIA,
> -- 
> Carl J. Mosca


Mime
View raw message