shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "claude.warren@wipro.com" <claude.war...@wipro.com>
Subject Hierarchical permissions and the hasAny check
Date Wed, 10 Jan 2018 12:33:16 GMT
I have a suggestion for improvement of permissions checking for permissions with an hierarchical
structure.


For purposes of this discussion I will use the WildcardPermission as an example but the discussion
applies to any hierarchically structured permission.


In some situations, when processing requests for hierarchically structured data with matching
permissions it would speed up processing to know if there are any permissions further down
the tree.


Assume a tree structure with large subtrees on nodes A and B off the root.


If the code is producing a list of all leaf nodes the Subject can read it would speed up processing
significantly if the application code could check to see if the user has any access to any
node in A.


Currently the WildcardPermission implementation of implies() returns the following:


{noformat}
Subj       Checked
Perm       Perm      Result
----------------------------
root       root      true
root       root:*    true
root       root:a    true
root       root:a:*  true
root       root:b    true
root       root:b:*  true

root:*     root      true
root:*     root:*    true
root:*     root:a    true
root:*     root:a:*  true
root:*     root:b    true
root:*     root:b:*  true

root:a     root      false
root:a     root:*    false
root:a     root:a    true
root:a     root:a:*  true
root:a     root:b    false
root:a     root:b:*  false

root:a:*   root      false
root:a:*   root:*    false
root:a:*   root:a    true
root:a:*   root:a:*  true
root:a:*   root:b    false
root:a:*   root:b:*  false

root:b     root      false
root:b     root:*    false
root:b     root:a    false
root:b     root:a:*  false
root:b     root:b    true
root:b     root:b:*  true

root:b:*   root      false
root:b:*   root:*    false
root:b:*   root:a    false
root:b:*   root:a:*  false
root:b:*   root:b    true
root:b:*   root:b:*  true

{noformat}


There is no mechanism by which I can grant a permission to a subject and then ask if they
have access to anything below a specific point.  As a concrete example.  I want to be able
to check that the user with permissions "root:a" has access to something  below "root".


There is no combination that I can discover where I can set this up.


I am proposing a couple of changes.

  1.  Introduce a HierarchicalPermissions interface to mark such permissions.
  2.  create a method on Subject that takes a permission and determines if the user has any
permissions at that level or below.


Lets call that method "hasRestriction()" for the rest of this discussion.  hasRestriction()
will return true if there are any explicit permissions noted at or below the level


When the subject.hasRestriction() is called the above tables would have the following results


{noformat}

Subj       Checked
Perm       Perm      Result
----------------------------
root       root      true
root       root:*    false
root       root:a    false
root       root:a:*  false
root       root:b    false
root       root:b:*  false

root:*     root      true
root:*     root:*    true
root:*     root:a    true
root:*     root:a:*  false
root:*     root:b    true
root:*     root:b:*  false

root:a     root      true
root:a     root:*    true
root:a     root:a    true
root:a     root:a:*  false
root:a     root:b    false
root:a     root:b:*  false

root:a:*   root      true
root:a:*   root:*    true
root:a:*   root:a    true
root:a:*   root:a:*  true
root:a:*   root:b    true
root:a:*   root:b:*  true

root:b     root      true
root:b     root:*    true
root:b     root:a    false
root:b     root:a:*  false
root:b     root:b    true
root:b     root:b:*  false

root:b:*   root      true
root:b:*   root:*    true
root:b:*   root:a    false
root:b:*   root:a:*  false
root:b:*   root:b    true
root:b:*   root:b:*  true


{noformat}


With this method available I can ask the following in the code.


{noformat}


if (subject.isPermitted( perm ))

{

    if (subject.hasRestriction( perm )) {

       // code with deeper checking

    } else {

      // just get the data here as there are no further restrictions.

    }

} else {

    // no access

}


{noformat}


Thoughts?


Claude

The information contained in this electronic message and any attachments to this message are
intended for the exclusive use of the addressee(s) and may contain proprietary, confidential
or privileged information. If you are not the intended recipient, you should not disseminate,
distribute or copy this e-mail. Please notify the sender immediately and destroy all copies
of this message and any attachments. WARNING: Computer viruses can be transmitted via email.
The recipient should check this email and any attachments for the presence of viruses. The
company accepts no liability for any damage caused by any virus transmitted by this email.
www.wipro.com

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message