Webapplications and ACL's. Best practice

Discussion in 'Java' started by Thomas Grabietz, Jul 25, 2008.

  1. Hello All,
    we're planning a web-application with JSF and Hibernate. Now we're
    looking for a appropriate framework to use ACL's in our application
    which supports the JSP/Hibernate architecture . It must be able to
    manage groups and CRUD-rights. How are your experiences?

    Kind regards
    Tom
    Thomas Grabietz, Jul 25, 2008
    #1
    1. Advertising

  2. Thomas Grabietz

    Wojtek Guest

    Thomas Grabietz wrote :
    > Hello All,
    > we're planning a web-application with JSF and Hibernate. Now we're looking
    > for a appropriate framework to use ACL's in our application which supports
    > the JSP/Hibernate architecture . It must be able to manage groups and
    > CRUD-rights. How are your experiences?
    >
    > Kind regards
    > Tom


    Every page (function) has a unique right. The rights are gathered into
    roles specific to a single (and constrained) job. User's can have
    multiple roles.

    IE:
    Role - Clerk
    Role - Clerk Supervisor

    These are two separate roles with no overlapping rights. So a clerk
    supervisor would need to have both roles.


    Every page hit compares the user's role set with the page's right. The
    role sets are also compared to menu items, so a user only sees what
    they have the rights to see. The user's role set is kept in the session
    and is NEVER exposed outside of the application.

    Thusly a user can hand type a URL, but if the page's right is not
    within his/her role set, the request is bounced to the home page with
    an error message.

    Changes to a role (editing rights) and/or changes to a user's role set
    are done dynamically by scanning all sessions and updating affected
    user's role sets.

    So a user can get TO an editing page, then find out they cannot commit
    the changes because an admin modyfied the right/role.

    All the roles and user role sets are persisted in a DB and encrypted,
    so an enterpsising DBA cannot simply give himself rights.

    Note that this MUST be planned out BEFORE you code a single line. It
    must be part of the fabric of the application.'

    And finally, there is a page which edits/creates new roles, available
    only the the admin role.

    --
    Wojtek :)
    Wojtek, Jul 28, 2008
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jon H

    Cannot create webapplications

    Jon H, Apr 13, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    1,874
  2. =?Utf-8?B?SmFzb24gTW9vcmU=?=

    asp.net webapplications without using virtual directories

    =?Utf-8?B?SmFzb24gTW9vcmU=?=, Feb 8, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    328
    Anders Matthiessen
    Feb 8, 2005
  3. Anuradha
    Replies:
    1
    Views:
    391
    Parag
    Feb 21, 2006
  4. Sebastian Loncar
    Replies:
    4
    Views:
    511
    Alvin Bruney - ASP.NET MVP
    Feb 28, 2006
  5. Cy Huckaba

    Custom ACL Setup? Best Way?

    Cy Huckaba, Dec 4, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    123
    Cy Huckaba
    Dec 4, 2003
Loading...

Share This Page