cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Huss <johnth...@gmail.com>
Subject Re: ROP security
Date Thu, 16 May 2013 15:01:06 GMT
Here's some code we started on to do this kind of thing.  It never made it
to production, but it was close.  This just defines some methods that can
be overridden to implement security based on your specific requirements.

https://www.dropbox.com/s/g247uxpalps5xse/AuthHessianService.java

One thing I have found cumbersome is inspecting SelectQuery objects to
figure out what they are - because SelectQuery.getRoot() returns plain
Object you have to screw around to figure out what it really is.  Also
inspecting the qualifier is a little difficult, but generally that's not a
great idea anyway - better to just add things to the qualifier even if it
results in duplicate clauses.

John

On Wed, May 15, 2013 at 6:49 PM, Aristedes Maniatis <ari@ish.com.au> wrote:

> We have a ROP Cayenne application we'd like to lock down a bit more
> tightly. In particular, in a situation where we don't trust the client
> application hasn't been hacked, we'd like to restrict certain activity from
> the client. I'm thinking of:
>
> 1. preventing SQLTemplate/EJBQL queries completely
> 2. adding entity listeners to catch certain write behaviour (we can't do a
> lot about reading data since that's easy to do at the controller level, on
> the client, but pretty hard to construct rules at the model level on the
> server)
> 3. creating 'partial' object entities which are missing some attributes.
> Sort of hollow, but only hollow on some attributes.
>
>
> Has anyone attempted anything similar to the above? (2) should be easy
> enough, but not sure about the other requirements.
>
>
> Cheers
> Ari
>
>
>
>
> --
> -------------------------->
> Aristedes Maniatis
> ish
> http://www.ish.com.au
> Level 1, 30 Wilson Street Newtown 2042 Australia
> phone +61 2 9550 5001   fax +61 2 9550 4001
> GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message