OFBiz OFBiz - User

Best place for security check?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
snowch
Reply | Threaded
Open this post in threaded view
|

Best place for security check?

snowch
Hi forum,

Some of my requests will contain a parameter (UpliftId) that holds an identifier for a entity record.  This is to provide record level security checks.  Is there a way of performing this check in the controller so that every (logged in) request that has the parameter UpliftId is checked to ensure that the userLoginId has access to the the UpliftId?  

Many thanks in advance,

Chris
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Best place for security check?

Jacques Le Roux
Administrator
http://markmail.org/message/3qpow4arm6tdqqp2
Also it seems that there would be an effort soon in this area
http://docs.ofbiz.org/display/~jaz/OFBiz+Security+Refactor

Jacques

From: "snowch" <[hidden email]>

>
> Hi forum,
>
> Some of my requests will contain a parameter (UpliftId) that holds an
> identifier for a entity record.  This is to provide record level security
> checks.  Is there a way of performing this check in the controller so that
> every (logged in) request that has the parameter UpliftId is checked to
> ensure that the userLoginId has access to the the UpliftId?  
>
> Many thanks in advance,
>
> Chris
> --
> View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

snowch
Reply | Threaded
Open this post in threaded view
|

Re: Best place for security check?

snowch
Unfortunately, I have to implement this within the next week...

I have a bsh script that will check that the loginUserId has permission for reading an entity record based on the parameter holding the entity Id (upliftId).  I don't want to have to call this bsh in every service, etc.  Ideally, I would like every request checked for the the upliftId parameter,  and if the loginUserId doesn't have access, an error is thrown redirecting to an error page.

I was wondering whether this could be done in the controller or as an entity ECA?

Many thanks,

Chris

jacques.le.roux wrote
http://markmail.org/message/3qpow4arm6tdqqp2
Also it seems that there would be an effort soon in this area
http://docs.ofbiz.org/display/~jaz/OFBiz+Security+Refactor

Jacques

From: "snowch" <snowch@coralms.com>
>
> Hi forum,
>
> Some of my requests will contain a parameter (UpliftId) that holds an
> identifier for a entity record.  This is to provide record level security
> checks.  Is there a way of performing this check in the controller so that
> every (logged in) request that has the parameter UpliftId is checked to
> ensure that the userLoginId has access to the the UpliftId?  
>
> Many thanks in advance,
>
> Chris
> --
> View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
David E Jones-3
Reply | Threaded
Open this post in threaded view
|

Re: Best place for security check?

David E Jones-3
In reply to this post by snowch

If you want to check something on every request you might try the  
"preprocessor" events that run before each request.

-David


On Apr 27, 2009, at 6:57 AM, snowch wrote:

>
> Hi forum,
>
> Some of my requests will contain a parameter (UpliftId) that holds an
> identifier for a entity record.  This is to provide record level  
> security
> checks.  Is there a way of performing this check in the controller  
> so that
> every (logged in) request that has the parameter UpliftId is checked  
> to
> ensure that the userLoginId has access to the the UpliftId?
>
> Many thanks in advance,
>
> Chris
> --
> View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

snowch
Reply | Threaded
Open this post in threaded view
|

Re: Best place for security check?

snowch
When checking the record level security using the preprocessor, is it possible to return an "error" view from the preprocessor?

Many thanks,

Chris

David E Jones-3 wrote
If you want to check something on every request you might try the  
"preprocessor" events that run before each request.

-David


On Apr 27, 2009, at 6:57 AM, snowch wrote:

>
> Hi forum,
>
> Some of my requests will contain a parameter (UpliftId) that holds an
> identifier for a entity record.  This is to provide record level  
> security
> checks.  Is there a way of performing this check in the controller  
> so that
> every (logged in) request that has the parameter UpliftId is checked  
> to
> ensure that the userLoginId has access to the the UpliftId?
>
> Many thanks in advance,
>
> Chris
> --
> View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
snowch
Reply | Threaded
Open this post in threaded view
|

Re: Best place for security check?

snowch
perhaps the best way would be to send 'response.sendRedirect("/Unauthorized);' on authorization error?

snowch wrote
When checking the record level security using the preprocessor, is it possible to return an "error" view from the preprocessor?

Many thanks,

Chris

David E Jones-3 wrote
If you want to check something on every request you might try the  
"preprocessor" events that run before each request.

-David


On Apr 27, 2009, at 6:57 AM, snowch wrote:

>
> Hi forum,
>
> Some of my requests will contain a parameter (UpliftId) that holds an
> identifier for a entity record.  This is to provide record level  
> security
> checks.  Is there a way of performing this check in the controller  
> so that
> every (logged in) request that has the parameter UpliftId is checked  
> to
> ensure that the userLoginId has access to the the UpliftId?
>
> Many thanks in advance,
>
> Chris
> --
> View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Best place for security check?

Jacques Le Roux
Administrator
In reply to this post by snowch
Yes, I have used this for the "tarpitting" feature
http://docs.ofbiz.org/display/OFBTECH/OFBiz+security#OFBizsecurity-Protectedviews
Look for "protect" in java code

Jacques

From: "snowch" <[hidden email]>

>
> When checking the record level security using the preprocessor, is it
> possible to return an "error" view from the preprocessor?
>
> Many thanks,
>
> Chris
>
>
> David E Jones-3 wrote:
>>
>>
>> If you want to check something on every request you might try the  
>> "preprocessor" events that run before each request.
>>
>> -David
>>
>>
>> On Apr 27, 2009, at 6:57 AM, snowch wrote:
>>
>>>
>>> Hi forum,
>>>
>>> Some of my requests will contain a parameter (UpliftId) that holds an
>>> identifier for a entity record.  This is to provide record level  
>>> security
>>> checks.  Is there a way of performing this check in the controller  
>>> so that
>>> every (logged in) request that has the parameter UpliftId is checked  
>>> to
>>> ensure that the userLoginId has access to the the UpliftId?
>>>
>>> Many thanks in advance,
>>>
>>> Chris
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Best-place-for-security-check--tp23255712p23255712.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Best-place-for-security-check--tp23255712p23259063.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Free forum by Nabble Edit this page