shale-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cyril Bouteille (JIRA)" <j...@apache.org>
Subject [jira] Commented: (SHALE-149) [Shale] Support for fine grained security on navigation
Date Fri, 25 Aug 2006 00:00:31 GMT
    [ http://issues.apache.org/struts/browse/SHALE-149?page=comments#action_38014 ] 
            
Cyril Bouteille commented on SHALE-149:
---------------------------------------

I'd like to see the following features:
1) a declarative way to extend navigation rules with authorization requirements
2) an infrastructure to automatically forward requests to secured pages to a custom login
page, while keeping context of the original request, so we can forward back to it after the
authentication/authorization is completed on submit from the login page

> [Shale] Support for fine grained security on navigation
> -------------------------------------------------------
>
>                 Key: SHALE-149
>                 URL: http://issues.apache.org/struts/browse/SHALE-149
>             Project: Shale
>          Issue Type: Improvement
>         Environment: Operating System: other
> Platform: Other
>            Reporter: Craig McClanahan
>            Priority: Minor
>
> Conversations on the Struts user mailing list today highlight the potential for
> a Shale value add with regards to authorization.  It was noted that container
> managed security can protect the incoming form submits, but does not protect
> navigation to an arbitrary page (because constraints are only applied on the
> initial submit, not on RequestDispatcher.forward() calls used to implement the
> navigation).  It would be interesting for Shale to offer a customized navigation
> handler that would allow limitation of navigation to specified view identifiers
> based on request.isUserInRole().
> As a further generalization, it would be useful to present this capability as a
> general purpose plugin architecture, where the application could provide any
> sort of fine grained access control it wanted ("only managers can navigate to
> the salary details page, and only for their own employees").  A built in plugin
> that supported container managed security could be a "reference implementation"
> of this featue.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/struts/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message