60 likes | 211 Views
Project.net Security Discussion Project.net Bluestone Bentley Systems Feb 2, 2000. Project.net Security Requirements (priority order). Need access to HTTP request parameters at access check in UBS. using SaGetNArg() now needed to get our custom object Ids for ACL check.
E N D
Project.net Security Discussion Project.net Bluestone Bentley Systems Feb 2, 2000
Project.net Security Requirements (priority order) • Need access to HTTP request parameters at access check in UBS. • using SaGetNArg() now • needed to get our custom object Ids for ACL check. • Need JSP page name (with path) at access check in UBS. • page name maps to permission type?? • Assign and check permissions on custom resources (object-level or DB table row-level). • Permissions such as read, modify, delete, create are typical. • Beans for accessing SecurityManager functionality in JSP. • Reference design for JSP pages to manage security.
Suggestions (priority order) • Implement Servlet 2.2 HttpServletRequest Security methods • isUserInRole() • getUserPrincipal() • getRemoteUser() • Permissions on resources. Extending or similar to: • Java.security.Permission • Java.security.PermissionCollection • Java.security.Permissions • Simplify the SaUser, IUser, com.bluestone.security.User, etc. • there are currently two object branches for “User”. • Provide a way to get User/Principle from static call to SaApp or similar. • needs to be easy to get user context in custom classes without calling setUser() in all the beans. • JSP reference design and beans to access SecurityManager classes. • AuthenticationProvider Classes for LDAP, X.509
Use Case -- Access permission for Document A document has a GUID • User clicks on a document • URL string looks something like: viewDocument?id=1234 • Low-level UBS “check access” hook calls ServletSecurity class. • Security classes do the access check given the following information: • Resource (Global unique objectId in project.net) = 1234 • Action (permission type): viewDocument • User (principal) • Groups that user belongs • Roles the user has • Permissions the user has on specified object (1234) • If ACL exists for User w/ permission=viewDocument on resource=1234, then allow access.
Use Case -- Setting access on document folder branch A folder has a GUID A document has a GUID • user uses JSP page to set permissions on a folder in our application. • user selects the roles, groups, or users for the folder access. • user selects the permissions of read, modify for the folder access. • user submits (HTTP Post of Form on JSP page) • Access is set on the folder and recursively on all children (documents, folders, other objects) of the folder.
Use Case -- Form access A form type has a GUID A form instance has a GUID Each field on the form has a GUID • User requests view of form • Check access on (user, form instance, “read”) • For each field, check access for (user, form field, “modify”) • If user has no modify access, render that field as text, otherwise render as input field.