cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <...@maniatis.org>
Subject Re: ROP security
Date Fri, 17 May 2013 00:45:49 GMT
On 17/05/13 1:01am, John Huss wrote:
> Here's some code we started on to do this kind of thing.  It never made it
> to production, but it was close.  This just defines some methods that can
> be overridden to implement security based on your specific requirements.
>
> https://www.dropbox.com/s/g247uxpalps5xse/AuthHessianService.java

Thanks that very interesting.


>
> One thing I have found cumbersome is inspecting SelectQuery objects to
> figure out what they are - because SelectQuery.getRoot() returns plain
> Object you have to screw around to figure out what it really is.  Also
> inspecting the qualifier is a little difficult, but generally that's not a
> great idea anyway - better to just add things to the qualifier even if it
> results in duplicate clauses.


In my case I also want to prevent users from deleting objects they should not be able to.
So I can deal with that with a mixture of validation rules in the entities themselves and
preventing SQLtemplate from being able to be used from the client.


Ari



>
> John
>
> On Wed, May 15, 2013 at 6:49 PM, Aristedes Maniatis <ari@ish.com.au> wrote:
>
>> We have a ROP Cayenne application we'd like to lock down a bit more
>> tightly. In particular, in a situation where we don't trust the client
>> application hasn't been hacked, we'd like to restrict certain activity from
>> the client. I'm thinking of:
>>
>> 1. preventing SQLTemplate/EJBQL queries completely
>> 2. adding entity listeners to catch certain write behaviour (we can't do a
>> lot about reading data since that's easy to do at the controller level, on
>> the client, but pretty hard to construct rules at the model level on the
>> server)
>> 3. creating 'partial' object entities which are missing some attributes.
>> Sort of hollow, but only hollow on some attributes.
>>
>>
>> Has anyone attempted anything similar to the above? (2) should be easy
>> enough, but not sure about the other requirements.
>>
>>
>> Cheers
>> Ari
>>
>>
>>
>>
>> --
>> -------------------------->
>> Aristedes Maniatis
>> ish
>> http://www.ish.com.au
>> Level 1, 30 Wilson Street Newtown 2042 Australia
>> phone +61 2 9550 5001   fax +61 2 9550 4001
>> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
>>
>

-- 
-------------------------->
Aristedes Maniatis
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

Mime
View raw message