You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Anil Patel <to...@gmail.com> on 2007/02/15 22:02:39 UTC

Intercept web request before a event is called for Security Permission checks

Hi,
Ofbiz Services security model allows us to intercept a call to service
before the actual service executed. On similar lines Do we have a way to
intercept a Web Request for Security Check before the Event or view is
rendered, Something like

    <request-map uri="orderentry">
        <security https="true" auth="true"/>
        <permission-service service-name="orderEntryGenericPermission"
action="Create" error-view="PermissionErrorScreen" />
        <event type="java" path="
org.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="routeOrderEntry"/>
        <response name="init" type="view" value="checkinits"/>
        <response name="agreements" type="view" value="orderagreements"/>
        <response name="cart" type="view" value="showcart"/>
        <response name="error" type="view" value="checkinits"/>
    </request-map>

Thanks and Regards
Anil Patel

Re: Intercept web request before a event is called for Security Permission checks

Posted by "David E. Jones" <jo...@hotwaxmedia.com>.

One way or another each service, screen, etc should be responsible  
for its own security (so that no matter how it is used the security  
doesn't get skipped or left out).

We are moving more towards de-coupling security to make it more  
modular and easier to re-use, but still having it right in an  
implementation is an okay (though not ideal) approach.

-David


On Feb 16, 2007, at 1:30 PM, Anil Patel wrote:

> David,
> This came to mind when I was working on
> ShoppingCartEvents::ShoppingCartEvents method.
> This method has Security check code in it. At first Glance I didn't  
> like it.
>
> Is it Ok to to have Security checks code compiled into a class. I  
> am not
> sure if there are more instances of similar thing.
>
> I will appreciate comments on it from you.
>
> Anil Patel
>
>
>
>
>
>
>
> On 2/15/07, David E. Jones <jo...@hotwaxmedia.com> wrote:
>>
>>
>> The best thing to do is use an actual event for this, which may mean
>> chaining to another request for security check pass/fail.
>>
>> Generally though there isn't page routing for security checks, but
>> rather a change in a view and/or event that shows a message or
>> whatever. In other words, the security checks in services and screens
>> are the main touch points.
>>
>> Is there a more specific case where this has come up?
>>
>> -David
>>
>>
>> On Feb 15, 2007, at 2:02 PM, Anil Patel wrote:
>>
>> > Hi,
>> > Ofbiz Services security model allows us to intercept a call to  
>> service
>> > before the actual service executed. On similar lines Do we have a
>> > way to
>> > intercept a Web Request for Security Check before the Event or  
>> view is
>> > rendered, Something like
>> >
>> >    <request-map uri="orderentry">
>> >        <security https="true" auth="true"/>
>> >        <permission-service service- 
>> name="orderEntryGenericPermission"
>> > action="Create" error-view="PermissionErrorScreen" />
>> >        <event type="java" path="
>> > org.ofbiz.order.shoppingcart.ShoppingCartEvents"
>> > invoke="routeOrderEntry"/>
>> >        <response name="init" type="view" value="checkinits"/>
>> >        <response name="agreements" type="view"
>> > value="orderagreements"/>
>> >        <response name="cart" type="view" value="showcart"/>
>> >        <response name="error" type="view" value="checkinits"/>
>> >    </request-map>
>> >
>> > Thanks and Regards
>> > Anil Patel
>>
>>
>>

Re: Intercept web request before a event is called for Security Permission checks

Posted by Anil Patel <to...@gmail.com>.

David,
This came to mind when I was working on
ShoppingCartEvents::ShoppingCartEvents method.
This method has Security check code in it. At first Glance I didn't like it.

Is it Ok to to have Security checks code compiled into a class. I am not
sure if there are more instances of similar thing.

I will appreciate comments on it from you.

Anil Patel







On 2/15/07, David E. Jones <jo...@hotwaxmedia.com> wrote:
>
>
> The best thing to do is use an actual event for this, which may mean
> chaining to another request for security check pass/fail.
>
> Generally though there isn't page routing for security checks, but
> rather a change in a view and/or event that shows a message or
> whatever. In other words, the security checks in services and screens
> are the main touch points.
>
> Is there a more specific case where this has come up?
>
> -David
>
>
> On Feb 15, 2007, at 2:02 PM, Anil Patel wrote:
>
> > Hi,
> > Ofbiz Services security model allows us to intercept a call to service
> > before the actual service executed. On similar lines Do we have a
> > way to
> > intercept a Web Request for Security Check before the Event or view is
> > rendered, Something like
> >
> >    <request-map uri="orderentry">
> >        <security https="true" auth="true"/>
> >        <permission-service service-name="orderEntryGenericPermission"
> > action="Create" error-view="PermissionErrorScreen" />
> >        <event type="java" path="
> > org.ofbiz.order.shoppingcart.ShoppingCartEvents"
> > invoke="routeOrderEntry"/>
> >        <response name="init" type="view" value="checkinits"/>
> >        <response name="agreements" type="view"
> > value="orderagreements"/>
> >        <response name="cart" type="view" value="showcart"/>
> >        <response name="error" type="view" value="checkinits"/>
> >    </request-map>
> >
> > Thanks and Regards
> > Anil Patel
>
>
>

Re: Intercept web request before a event is called for Security Permission checks

Posted by "David E. Jones" <jo...@hotwaxmedia.com>.

The best thing to do is use an actual event for this, which may mean  
chaining to another request for security check pass/fail.

Generally though there isn't page routing for security checks, but  
rather a change in a view and/or event that shows a message or  
whatever. In other words, the security checks in services and screens  
are the main touch points.

Is there a more specific case where this has come up?

-David

On Feb 15, 2007, at 2:02 PM, Anil Patel wrote:

> Hi,
> Ofbiz Services security model allows us to intercept a call to service
> before the actual service executed. On similar lines Do we have a  
> way to
> intercept a Web Request for Security Check before the Event or view is
> rendered, Something like
>
>    <request-map uri="orderentry">
>        <security https="true" auth="true"/>
>        <permission-service service-name="orderEntryGenericPermission"
> action="Create" error-view="PermissionErrorScreen" />
>        <event type="java" path="
> org.ofbiz.order.shoppingcart.ShoppingCartEvents"  
> invoke="routeOrderEntry"/>
>        <response name="init" type="view" value="checkinits"/>
>        <response name="agreements" type="view"  
> value="orderagreements"/>
>        <response name="cart" type="view" value="showcart"/>
>        <response name="error" type="view" value="checkinits"/>
>    </request-map>
>
> Thanks and Regards
> Anil Patel