OFBiz › OFBiz - Dev

[OFBiz] Dev - System accounts & Service authorization

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

2 messages Options

Ashish Hareet

[OFBiz] Dev - System accounts & Service authorization

I was just browsing over the LoginServices.userLogin & I came across a code snippet that
might potentially help me with security in my apps.

// get the is system flag -- system accounts can only be used for service authentication
boolean isSystem = (isServiceAuth && userLogin.get("isSystem") != null) ?
"Y".equalsIgnoreCase(userLogin.getString("isSystem")) : false;

Some services have a particular security requirement at the code level which I would rather not touch
at the moment & given the fact that the security & the layout of my applications is very different from
what OfBiz uses. I'm left with 2 choices - change the core codebase or maybe somehow push in a valid
userlogin for the service to run, the latter being my preference.

If it's possible to push in a valid login for services alone, I'd like to know
- Maybe point me to some screens/apps that do such a thing
- How to create such a login in the db
- How to create such a login at runtime
- How to use such a login

Thanks for your time. Your feedback is appreciated
Ashish Hareet

_______________________________________________
Dev mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/dev

Si Chen-2

Re: [OFBiz] Dev - System accounts & Service authorization

Ashish,

userLogin is just a GenericValue of the "UserLogin" entity. So to make
one during run time, just use the delegator.makeValue(...) method.

However, I don't think this is a very good way to do things. This is
just my personal opinion, but this approach looks like a "hack" when we
should be addressing the fundamental issue of security settings.

The OFBiz security model, when implemented correctly, can be very
flexible and powerful. You can assign specific permissions to each
service operation and then group them together in
SecurityPermissionGroup, then assign user logins to the security
groups. Hence, you should in theory be able to implement your
particular security requirements by creating new SecurityPermissionGroups.

In practice, I know I get lazy and just use the "_ADMIN" privileges when
I create new services and "_VIEW" for view pages, so it seems like the
system is build around universal security permissions. However, this is
not the case and should be changed.

Therefore, I think it might be better if you changed the permissions of
the services and view pages that are affected and then submitted those
as a page. Maybe we can incorporate those into the main OFBiz code
base, and then you can customize your deployment with custom
SecurityPermissionGroups.

Si

Ashish Hareet wrote:

>I was just browsing over the LoginServices.userLogin & I came across a code snippet that
>might potentially help me with security in my apps.
>
>// get the is system flag -- system accounts can only be used for service authentication
>boolean isSystem = (isServiceAuth && userLogin.get("isSystem") != null) ?
> "Y".equalsIgnoreCase(userLogin.getString("isSystem")) : false;
>
>Some services have a particular security requirement at the code level which I would rather not touch
>at the moment & given the fact that the security & the layout of my applications is very different from
>what OfBiz uses. I'm left with 2 choices - change the core codebase or maybe somehow push in a valid
>userlogin for the service to run, the latter being my preference.
>
>If it's possible to push in a valid login for services alone, I'd like to know
>- Maybe point me to some screens/apps that do such a thing
>- How to create such a login in the db
>- How to create such a login at runtime
>- How to use such a login
>
>Thanks for your time. Your feedback is appreciated
>Ashish Hareet
>
>
>_______________________________________________
>Dev mailing list
>[hidden email]
>http://lists.ofbiz.org/mailman/listinfo/dev
>
>
>

_______________________________________________
Dev mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/dev