Authroization instance level checks

[richs <ri...@barcap.com>]

Say you have a database containing millions of records

You have a permission which states that you can delete record 1234 -
"record:delete:1234"

What is the best practice to check the authorization for instance 1234?  The
method /AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principals)/ accepts a collection of principals, so does not contain the
identifier 1234.  I don't want to add every record my user can delete to an
AuthorizationInfo object 
(record:delete:0001,record:delete:0002,record:delete:0004, etc) as this
could be 1000s.

I can't see any easy way to hook in the callback to check instance 1234.

Any ideas?

Thanks

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Authroization-instance-level-checks-tp6913395p6913395.html
Sent from the Shiro User mailing list archive at Nabble.com.

RE: Authroization instance level checks

[Deniz Acay <de...@gmail.com>]

I achieved something similar in our project like:

public class ... {

...

@RequiresValidation(validationMethod="checkDeleteRecord")
public void deleteRecord(....) {
...
}

protected void checkDeleteRecord(...) {
/* If this method throws a SecurityException, then the subject is not
authorized to invoke the 'deleteRecord' */
}

On runtime, validation method is invoked via reflection.

Similar improvement would be great for Shiro, for example, suppose you have
a class named UserDashboard that each instance represents a user's unique
content etc.; only the corresponding user should be able to call the seter
methods.

This kind of on-the-fly authorization check is required in a lot of
scenarios.

Either some sort of regex permissions (like
"record:delete:subject.principals['recordID']") or an authorizing method to
authorize on runtime (e.g, via reflection) 

-----Original Message-----
From: richs [mailto:richard.simmonds@barcap.com] 
Sent: 20 Ekim 2011 Perşembe 18:40
To: user@shiro.apache.org
Subject: Authroization instance level checks

Say you have a database containing millions of records

You have a permission which states that you can delete record 1234 -
"record:delete:1234"

What is the best practice to check the authorization for instance 1234?  The
method /AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
principals)/ accepts a collection of principals, so does not contain the
identifier 1234.  I don't want to add every record my user can delete to an
AuthorizationInfo object 
(record:delete:0001,record:delete:0002,record:delete:0004, etc) as this
could be 1000s.

I can't see any easy way to hook in the callback to check instance 1234.

Any ideas?

Thanks

--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Authroization-instance-level-checks-t
p6913395p6913395.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Authroization instance level checks

[Jean-Cédric Desrochers <jc...@gmail.com>]

I faced a similar situation where I needed perform some authorization logic
at a per instance level. There were some complex business rules that needed
to be applied base on type of permission a subject had, the type of
operation required and also based on the state of the instance to check in a
given workflow.

AOP to the rescue, I ended up with a security interceptor on top of the DAOs
that needed this kind of advanced authorization. With the aspect I was able
to perform the required logic based on the nature of the call on the DAO:
retrieve, update, delete.

HTH... like someone says


On Thu, Oct 20, 2011 at 11:39 AM, richs <ri...@barcap.com> wrote:

> Say you have a database containing millions of records
>
> You have a permission which states that you can delete record 1234 -
> "record:delete:1234"
>
> What is the best practice to check the authorization for instance 1234?
>  The
> method /AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection
> principals)/ accepts a collection of principals, so does not contain the
> identifier 1234.  I don't want to add every record my user can delete to an
> AuthorizationInfo object
> (record:delete:0001,record:delete:0002,record:delete:0004, etc) as this
> could be 1000s.
>
> I can't see any easy way to hook in the callback to check instance 1234.
>
> Any ideas?
>
> Thanks
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Authroization-instance-level-checks-tp6913395p6913395.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>