Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Java > Webapplications and ACL's. Best practice

Reply
Thread Tools

Webapplications and ACL's. Best practice

 
 
Thomas Grabietz
Guest
Posts: n/a
 
      07-25-2008
Hello All,
we're planning a web-application with JSF and Hibernate. Now we're
looking for a appropriate framework to use ACL's in our application
which supports the JSP/Hibernate architecture . It must be able to
manage groups and CRUD-rights. How are your experiences?

Kind regards
Tom
 
Reply With Quote
 
 
 
 
Wojtek
Guest
Posts: n/a
 
      07-28-2008
Thomas Grabietz wrote :
> Hello All,
> we're planning a web-application with JSF and Hibernate. Now we're looking
> for a appropriate framework to use ACL's in our application which supports
> the JSP/Hibernate architecture . It must be able to manage groups and
> CRUD-rights. How are your experiences?
>
> Kind regards
> Tom


Every page (function) has a unique right. The rights are gathered into
roles specific to a single (and constrained) job. User's can have
multiple roles.

IE:
Role - Clerk
Role - Clerk Supervisor

These are two separate roles with no overlapping rights. So a clerk
supervisor would need to have both roles.


Every page hit compares the user's role set with the page's right. The
role sets are also compared to menu items, so a user only sees what
they have the rights to see. The user's role set is kept in the session
and is NEVER exposed outside of the application.

Thusly a user can hand type a URL, but if the page's right is not
within his/her role set, the request is bounced to the home page with
an error message.

Changes to a role (editing rights) and/or changes to a user's role set
are done dynamically by scanning all sessions and updating affected
user's role sets.

So a user can get TO an editing page, then find out they cannot commit
the changes because an admin modyfied the right/role.

All the roles and user role sets are persisted in a DB and encrypted,
so an enterpsising DBA cannot simply give himself rights.

Note that this MUST be planned out BEFORE you code a single line. It
must be part of the fabric of the application.'

And finally, there is a page which edits/creates new roles, available
only the the admin role.

--
Wojtek


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
displaying time for Online examinations in webapplications. Anuradha ASP .Net 1 02-21-2006 05:55 AM
Cannot create webapplications Jon H ASP .Net 2 01-28-2006 06:06 PM
Remember when your piano teacher taught you, "Practice, practice,practice ...?" Wayne Wastier Windows 64bit 3 06-10-2005 08:29 PM
asp.net webapplications without using virtual directories =?Utf-8?B?SmFzb24gTW9vcmU=?= ASP .Net 2 02-08-2005 09:53 PM
Cisco CallManager and integration with other webapplications. Karol Cisco 0 05-13-2004 01:55 PM



Advertisments