Controlling Access

[Kevin]

Let me preface this by saying I'm new to Java and I'm maintaining a
program
someone else wrote.

In this system everyone has read access by default. I'm explicitly
granting
permission to those who need modification rights. In this instance,
that
means looking at every save/edit/update/delete button and wrapping it
with
some code to check the user group in the LDAP database.

I only have five different groups right now, and the temptation is to
write
a method that contains a bunch of else if statements to check every
possible
combination of groups (i.e., if user 1 or user 2, do a, else if user 1
or
user 3 do b, etc.). There is absolutely nothing elegant about this
method
and it just doesn't feel right.

Would you mind giving me a recommendation on a better way? I've seen
concepts like JAAS (I've done a little homework), but I'm looking for a
*recommendation* on a best
practice, preferably one that doesn't take a week to implement. Any
help
you could give would be appreciated.

-Kevin

 

[Fred Kleinschmidt]

Let me preface this by saying I'm new to Java and I'm maintaining a
program
someone else wrote.

In this system everyone has read access by default. I'm explicitly
granting
permission to those who need modification rights. In this instance,
that
means looking at every save/edit/update/delete button and wrapping it
with
some code to check the user group in the LDAP database.

I only have five different groups right now, and the temptation is to
write
a method that contains a bunch of else if statements to check every
possible
combination of groups (i.e., if user 1 or user 2, do a, else if user 1
or
user 3 do b, etc.). There is absolutely nothing elegant about this
method
and it just doesn't feel right.

Would you mind giving me a recommendation on a better way? I've seen
concepts like JAAS (I've done a little homework), but I'm looking for a
*recommendation* on a best
practice, preferably one that doesn't take a week to implement. Any
help
you could give would be appreciated.

-Kevin

Why not just check once when the user starts the program, then
just disable all "save/edit/update/delete" buttons if the user is
not allowed to do it?

 

[Lew]

Why not just check once when the user starts the program, then
just disable all "save/edit/update/delete" buttons if the user is
not allowed to do it?

Then you only need to wrap each such button in a boolean "isModifier" test.

More generally, if you have more than two roles (beyond just reader and
modifier), you translate login information ("JohnDoe", group "accounting") to
a role ( "accountant" ) upon login, then you test for the role in the screen,
not individual login or group names.

Still a little ugly, arguably, but much more manageable than the zillions of
groups or users. You can make it prettier if your roles are hierarchical; then
you just test against the minimum role for each control.

More complex authorization protocols are possible for applications that need
them. (Check out access control lists, for example.)

In the end, the complexity of the test is determined by the domain model.

- Lew

 

[Chris Uppal]

Would you mind giving me a recommendation on a better way? I've seen
concepts like JAAS (I've done a little homework), but I'm looking for a
*recommendation* on a best
practice, preferably one that doesn't take a week to implement.

I have no recommendations, but a suggestion which may not have occurred to you
if you are new to Swing.

If your main problem is co-ordinating the access to operations with the visual
components which invoke those operations (i.e. your problem is not "how to
represent permissions" but how to make the GUI reflect the available options
/given/ the user's permissions); then you should be able to tie the buttons
(and menu items, etc) directly to the permissions by using the Action
framework.

-- chris