directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Wallace <rwall...@thewallacepack.net>
Subject [authx] Help with complicated authorization
Date Fri, 17 Jun 2005 18:05:28 GMT
Hello everybody,

I'm working on pushing our web development from PHP to Java at work.  
For the moment I've pretty much decided on using JSF/Spring/Hibernate at 
our presentation/business logic/persistence layers, though I think 
they're separated well enough that changing out one part of it shouldn't 
impact any of the others (except in the glue code).

Anyways, I'm trying to figure out how to do authorization.  
Authentication is pretty simple I think, but the authorization is pretty 
complex.  Instead of a user having or not having permission to access a 
page (container webapp security) or having or not having permissions to 
run certain actions (JAAS), we need finer grained permissions based on 
objects and the users relationship to the object.

What we have is basically a project and task management tool for our 
organization.  Each project has roles that users with those same roles 
have.  So, for instance, one "slot" a project has is "project 
managers."  There is also a "project managers" role in the company.  So 
when a project is created a user with the "project manager" role is 
assigned to the projects "project manager" slot.  That's simple enough.  
Where it gets trickier is that each project has associated with it one 
or more tasks.  The task should inherit the users assigned to it from 
the parent project unless specifically overridden in the action.  For 
instance, a project may have a customer service rep assigned to it, but 
for a particular task a different csr might handle it and would need 
permission view/update the task.

I'm wondering how I might implement this with AuthX.  Do I simply create 
custom permissions classes, like ProjectPermission and TaskPermission?  
Then, when implementing the implies() method what do I do?  Is that 
where I would do these checks to see if the user has the required 
ability to do the desired operation?

I think I'm a little lost because of all the groovy stuff.  Does anyone 
have an example app that I can work from that doesn't have groovy?

Thanks,
Rich

Mime
View raw message