Precise object and method security

Documents for the development of and with JVx.

Precise object and method security

Postby Development@SIB » Sat Dec 22, 2012 8:25 pm

If you use our ISecurityManager, you can restrict the access to life-cycle objects. But sometimes you need restrictions for custom objects or methods of a life-cycle object.

We are not big fans of "configuration til death" because config files are not more than config files. Nobody should fill config files with application logic. Keep your logic in your source code.

If you implement com.sibvisions.rad.server.security.IObjectAccessController, you'll have full control over object and method calls. The interface offers following methods:

Syntax: [ Download ] [ Hide ]
public boolean isObjectAccessAllowed(AbstractObjectProvider pProvider, ISession pSession,
                                     Map pLifeCycleObject, String pObjectName,
                                     Object pObject);

public boolean isMethodInvocationAllowed(AbstractObjectProvider pProvider,
                                         ISession pSession, String pObjectName,
                                         Object pObject, String pMethodName,
                                         Object... pParams);

The first method checks if it's allowed to call an object from a life-cycle object. You have access to all relevant objects like life-cycle object, called object and the object name.

The second method checks if it's allowed to call a method from an object. You have access to all relevant information like object to call, method name, parameter and the object instance itself.


Example

This implementation only allows calls for an object with the name "address".

Syntax: [ Download ] [ Hide ]
public class SimpleAddressAccessController implements IObjectAccessController
{
        public boolean isObjectAccessAllowed(AbstractObjectProvider pProvider,
                                             ISession pSession, Map pLifeCycleObject,
                                             String pObjectName, Object pObject)
        {
                if ("address".equals(pObjectName))
                {
                        return true;
                }

                return false;
        }

        public boolean isMethodInvocationAllowed(AbstractObjectProvider pProvider,
                                                 ISession pSession, String pObjectName,
                                                 Object pObject, String pMethodName,
                                                 Object... pParams)
        {
                if ("address".equals(pObjectName))
                {
                        return true;
                }
               
                return false;
        }

}

We use the object name for our checks. It is also possible to check class names or instances. It also is not a problem to read the configuration from a XML file, if you think it's better.
User avatar
Development@SIB
 
Posts: 311
Joined: Mon Sep 28, 2009 1:54 pm

Return to Documentation