Re: security

From: Andrus Adamchik (andru..bjectstyle.org)
Date: Wed Jan 31 2007 - 10:05:14 EST

  • Next message: Andrus Adamchik: "Re: security"

    Hi Carl,

    To be honest a few ROP projects that I've done used all-or-nothing
    security (if you are authenticated, you can do anything). Still I've
    been also thinking about more fine-grained approach. My solution
    would be to set up a custom 'org.apache.cayenne.DataChannel'
    decorator, adding custom security checks to 'onQuery()' and 'onSync'
    methods. In the simplest case, you can have the following security
    levels:

    1. Restricted: only NamedQuery requests are honored, 'onSync' is denied.
    2. Read-only: onQuery() allows all but SQLTemplate queries, 'onSync'
    is denied.
    3. Full
    4. Custom - check custom rules.

    Also I haven't yet explored the use of the new 3.0 callbacks as a
    security mechanism, probably there are some opportunities there:

    http://cayenne.apache.org/preview/CAYDOC/lifecycle-callbacks.html

    Andrus

    On Jan 31, 2007, at 4:23 PM, Carl Mosca wrote:

    > I am wondering about security (user, query, role level). What
    > approaches
    > have been taken by those using ROP for a some time?
    >
    > TIA,
    > --
    > Carl J. Mosca



    This archive was generated by hypermail 2.0.0 : Wed Jan 31 2007 - 10:05:55 EST