Users - Security API: What am I missing?
Locked
Users - Security API: What am I missing?
 
|
Hello:
How does the security API handle something like ability to view calendar entries for your “team” members? I understand that one would either extend OFBizSecurity or implement one’s own version, but I can’t see how the only relevant function (hasRolePermission) would handle it. I feel that other functions with additional parameters may be required.
To further clarify my questions, let’s use a simple data model example. Assume teams are parties and team members are associated with their teams through PartyRelationships (partyRelationshipTypeId is GROUP_ROLLUP, partyIdFrom is team, partyIdTo is member). Further assume partyA and partyB are both part of teamOne, and they are allowed to view each team member’s calendar. If partyA is logged in and wants to view partyB’s calendar, I expect to use a class that extends OFBizSecurity to handle this data model along with call to something like hasRolePermission. But it doesn’t seem to have enough arguments. I can write another function but that defeats the whole purpose of security API.
I also read Data Driven Security (http://ofbizwiki.go-integral.com/Wiki.jsp?page=DataDrivenSecurity) in wiki. The entity it uses ContentPurposeOperation does not seem to be part of the standard security data model. As far as I can tell, there are only 3 entities part of this model (OrderRole, FacilityRole, MarketingCampaignRole). What am I missing?
Thanks in advance. Vinay Agarwal
_______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - Security API: What am I missing?
|
|
It might be better to write a small routine to check for the proper
relationships and roles. Vinay Agarwal wrote: > Hello: > > > > How does the security API handle something like ability to view calendar > entries for your “team” members? I understand that one would either > extend OFBizSecurity or implement one’s own version, but I can’t see how > the only relevant function (hasRolePermission) would handle it. I feel > that other functions with additional parameters may be required. > > > > To further clarify my questions, let’s use a simple data model example. > Assume teams are parties and team members are associated with their > teams through PartyRelationships (partyRelationshipTypeId is > GROUP_ROLLUP, partyIdFrom is team, partyIdTo is member). Further assume > partyA and partyB are both part of teamOne, and they are allowed to view > each team member’s calendar. If partyA is logged in and wants to view > partyB’s calendar, I expect to use a class that extends OFBizSecurity to > handle this data model along with call to something like > hasRolePermission. But it doesn’t seem to have enough arguments. I can > write another function but that defeats the whole purpose of security API. > > > > I also read Data Driven Security > (http://ofbizwiki.go-integral.com/Wiki.jsp?page=DataDrivenSecurity) in > wiki. The entity it uses ContentPurposeOperation does not seem to be > part of the standard security data model. As far as I can tell, there > are only 3 entities part of this model (OrderRole, FacilityRole, > MarketingCampaignRole). What am I missing? > > > > Thanks in advance. > > Vinay Agarwal > > > > > ------------------------------------------------------------------------ > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - Security API: What am I missing?
|
|
That's the easy way of doing it which is essentially a custom security
function. This poses another problem that once you have authenticated a userLogin to do something, other services may block that userLogin from some required stuff. Is changing userLogin to "system" the best way to do it? Vinay -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Adrian Crum Sent: Thursday, May 18, 2006 9:35 AM To: OFBiz Users / Usage Discussion Subject: Re: [OFBiz] Users - Security API: What am I missing? It might be better to write a small routine to check for the proper relationships and roles. Vinay Agarwal wrote: > Hello: > > > > How does the security API handle something like ability to view calendar > entries for your "team" members? I understand that one would either > extend OFBizSecurity or implement one's own version, but I can't see how > the only relevant function (hasRolePermission) would handle it. I feel > that other functions with additional parameters may be required. > > > > To further clarify my questions, let's use a simple data model example. > Assume teams are parties and team members are associated with their > teams through PartyRelationships (partyRelationshipTypeId is > GROUP_ROLLUP, partyIdFrom is team, partyIdTo is member). Further assume > partyA and partyB are both part of teamOne, and they are allowed to view > each team member's calendar. If partyA is logged in and wants to view > partyB's calendar, I expect to use a class that extends OFBizSecurity to > handle this data model along with call to something like > hasRolePermission. But it doesn't seem to have enough arguments. I can > write another function but that defeats the whole purpose of security API. > > > > I also read Data Driven Security > (http://ofbizwiki.go-integral.com/Wiki.jsp?page=DataDrivenSecurity) in > wiki. The entity it uses ContentPurposeOperation does not seem to be > part of the standard security data model. As far as I can tell, there > are only 3 entities part of this model (OrderRole, FacilityRole, > MarketingCampaignRole). What am I missing? > > > > Thanks in advance. > > Vinay Agarwal > > > > > ------------------------------------------------------------------------ > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - Security API: What am I missing?
|
|
In reply to this post by Vinay Agarwal
No, it's best to determine what permissions the services are looking for and
assign those permissions to the user. You might need to assemble them into a security group and assign that group to the user. Vinay Agarwal wrote: > That's the easy way of doing it which is essentially a custom security > function. This poses another problem that once you have authenticated a > userLogin to do something, other services may block that userLogin from some > required stuff. Is changing userLogin to "system" the best way to do it? > > Vinay > > -----Original Message----- > From: [hidden email] [mailto:[hidden email]] > On Behalf Of Adrian Crum > Sent: Thursday, May 18, 2006 9:35 AM > To: OFBiz Users / Usage Discussion > Subject: Re: [OFBiz] Users - Security API: What am I missing? > > It might be better to write a small routine to check for the proper > relationships and roles. > > > Vinay Agarwal wrote: > >>Hello: >> >> >> >>How does the security API handle something like ability to view calendar >>entries for your "team" members? I understand that one would either >>extend OFBizSecurity or implement one's own version, but I can't see how >>the only relevant function (hasRolePermission) would handle it. I feel >>that other functions with additional parameters may be required. >> >> >> >>To further clarify my questions, let's use a simple data model example. >>Assume teams are parties and team members are associated with their >>teams through PartyRelationships (partyRelationshipTypeId is >>GROUP_ROLLUP, partyIdFrom is team, partyIdTo is member). Further assume >>partyA and partyB are both part of teamOne, and they are allowed to view >>each team member's calendar. If partyA is logged in and wants to view >>partyB's calendar, I expect to use a class that extends OFBizSecurity to >>handle this data model along with call to something like >>hasRolePermission. But it doesn't seem to have enough arguments. I can >>write another function but that defeats the whole purpose of security API. >> >> >> >>I also read Data Driven Security >>(http://ofbizwiki.go-integral.com/Wiki.jsp?page=DataDrivenSecurity) in >>wiki. The entity it uses ContentPurposeOperation does not seem to be >>part of the standard security data model. As far as I can tell, there >>are only 3 entities part of this model (OrderRole, FacilityRole, >>MarketingCampaignRole). What am I missing? >> >> >> >>Thanks in advance. >> >>Vinay Agarwal >> >> >> >> >>------------------------------------------------------------------------ >> >> >>_______________________________________________ >>Users mailing list >>[hidden email] >>http://lists.ofbiz.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users > _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Users - Look-n-feel and common templates.
|
|
In reply to this post by Adrian Crum
Hi all -
maybe I'm missing something... But it occurred to me that there doesn't seem to be a way to easily share more than superficial content between webapp modules in OfBiz. While there is the images component of the framework - which you can place images, style sheets, and javascripts into that you want to share amongst multiple webapps - what about common templates? If you create a series of custom (but related) components/webapps - you quickly find yourself copying a large chunk of "code" from one to the others to support the FTL template, and common user interface elements. Am I missing something? Am I doing something wrong? - Porter Woodward _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
pwoodward.vcf (301 bytes)
Re: Users - Look-n-feel and common templates.
|
|
I'm not sure I understand what you mean. There are a number of templates already
shared between webapps. We developed a common set of custom templates and widgets that are shared among our custom components. It all works fine. Porter Woodward wrote: > Hi all - > > maybe I'm missing something... But it occurred to me that there doesn't > seem to be a way to easily share more than superficial content between > webapp modules in OfBiz. While there is the images component of the > framework - which you can place images, style sheets, and javascripts > into that you want to share amongst multiple webapps - what about common > templates? > > If you create a series of custom (but related) components/webapps - you > quickly find yourself copying a large chunk of "code" from one to the > others to support the FTL template, and common user interface elements. > Am I missing something? Am I doing something wrong? > > - Porter Woodward > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - Security API: What am I missing?
|
|
In reply to this post by Adrian Crum
Adrian,
The problem of assigning permissions to the user is that they are "static," i.e., the user will keep those permissions for other calls. If one wanted more "dynamic" permission capabilities, that authenticates user for a specific functionality at a specific time, there doesn't seem to be a way other than "system" userLogin. Vinay -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Adrian Crum Sent: Thursday, May 18, 2006 9:47 AM To: OFBiz Users / Usage Discussion Subject: Re: [OFBiz] Users - Security API: What am I missing? No, it's best to determine what permissions the services are looking for and assign those permissions to the user. You might need to assemble them into a security group and assign that group to the user. Vinay Agarwal wrote: > That's the easy way of doing it which is essentially a custom security > function. This poses another problem that once you have authenticated a > userLogin to do something, other services may block that userLogin from some > required stuff. Is changing userLogin to "system" the best way to do it? > > Vinay > _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - Security API: What am I missing?
|
|
In reply to this post by Vinay Agarwal
The alternative is to write your own security routine. Changing logins
"dynamically" sounds like a kludge to me. If you're working on a calendar component, just write a calendar-component-specific permissions checking routine. Make it part of the component. Vinay Agarwal wrote: > Adrian, > The problem of assigning permissions to the user is that they are "static," > i.e., the user will keep those permissions for other calls. If one wanted > more "dynamic" permission capabilities, that authenticates user for a > specific functionality at a specific time, there doesn't seem to be a way > other than "system" userLogin. > Vinay > > -----Original Message----- > From: [hidden email] [mailto:[hidden email]] > On Behalf Of Adrian Crum > Sent: Thursday, May 18, 2006 9:47 AM > To: OFBiz Users / Usage Discussion > Subject: Re: [OFBiz] Users - Security API: What am I missing? > > No, it's best to determine what permissions the services are looking for and > > assign those permissions to the user. You might need to assemble them into a > > security group and assign that group to the user. > > Vinay Agarwal wrote: > > >>That's the easy way of doing it which is essentially a custom security >>function. This poses another problem that once you have authenticated a >>userLogin to do something, other services may block that userLogin from > > some > >>required stuff. Is changing userLogin to "system" the best way to do it? >> >>Vinay >> > > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users > _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
|
|
In reply to this post by Vinay Agarwal
Vinay,
Look in the CRM application... it's all there. Si Vinay Agarwal wrote:
_______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
|
|
In reply to this post by Porter Woodward
You should be using the screen widget to use pages from the other
webapps. You can also parametrize your mainDecoratorLocation, etc. in web.xml so you can refer to them and share them. This is actually very nice in screen-widget. Si Porter Woodward wrote: > Hi all - > > maybe I'm missing something... But it occurred to me that there > doesn't seem to be a way to easily share more than superficial content > between webapp modules in OfBiz. While there is the images component > of the framework - which you can place images, style sheets, and > javascripts into that you want to share amongst multiple webapps - > what about common templates? > > If you create a series of custom (but related) components/webapps - > you quickly find yourself copying a large chunk of "code" from one to > the others to support the FTL template, and common user interface > elements. Am I missing something? Am I doing something wrong? > > - Porter Woodward > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
|
|
Indeed
This is not only possible for ftl templates but is also a good way to share bsh scripts by having a main common webapp which other webapps can dig into easily. Screen Widgets realy is interesting for this sort of factorisation. in fact if you look at how applications works the ball bounces from one webapp to another quite transparently. Tibor On 5/18/06, Si Chen
<[hidden email]> wrote: You should be using the screen widget to use pages from the other _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - Look-n-feel and common templates.
|
|
In reply to this post by Porter Woodward
Porter,
Have a look for component:// urls For example, you will see a few ordermgr artifacts referenced from the ecommerce controller.xml. These are of the form... component://path/to/resource On Thu, 2006-05-18 at 12:49 -0400, Porter Woodward wrote: > Hi all - > > maybe I'm missing something... But it occurred to me that there doesn't > seem to be a way to easily share more than superficial content between > webapp modules in OfBiz. While there is the images component of the > framework - which you can place images, style sheets, and javascripts > into that you want to share amongst multiple webapps - what about common > templates? > > If you create a series of custom (but related) components/webapps - you > quickly find yourself copying a large chunk of "code" from one to the > others to support the FTL template, and common user interface elements. > Am I missing something? Am I doing something wrong? > > - Porter Woodward > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users Kind Regards Andrew Sykes <[hidden email]> Sykes Development Ltd http://www.sykesdevelopment.com _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - Look-n-feel and common templates.
|
|
correction
component://path/to/resource is component://appname/path/from root/toresource. Just when thru the code to figure out why I was getting a root not found error. Andrew Sykes sent the following on 5/18/06 11:58 AM: > Porter, > > Have a look for component:// urls > > For example, you will see a few ordermgr artifacts referenced from the > ecommerce controller.xml. These are of the form... > > component://path/to/resource > > On Thu, 2006-05-18 at 12:49 -0400, Porter Woodward wrote: > >>Hi all - >> >>maybe I'm missing something... But it occurred to me that there doesn't >>seem to be a way to easily share more than superficial content between >>webapp modules in OfBiz. While there is the images component of the >>framework - which you can place images, style sheets, and javascripts >>into that you want to share amongst multiple webapps - what about common >>templates? >> >>If you create a series of custom (but related) components/webapps - you >>quickly find yourself copying a large chunk of "code" from one to the >>others to support the FTL template, and common user interface elements. >>Am I missing something? Am I doing something wrong? >> >>- Porter Woodward >> _______________________________________________ >>Users mailing list >>[hidden email] >>http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Users - sensitive information securtrity
|
|
sub title CC security revisited.
In Summary the security of CC Info has been discussed. it covered the encryption of the information, was well as the security authentication provided by ofbiz. As long as the CC info is encrypted one way, there is not much concern. However there is need for Getting the CC info back in readable form in some cases. This creates a possible security whole. The application I am in mind is where the gateway service is sent the partyID and only it can read the CC info. So if the OS is breached thru it own security hole, and admin, or super user is gained. Or if someone is using the PC that ofbiz runs on for Internet and gets a Trojan. Then the complete DB and application can be retrieved. to further create security, I have implemented put the DB on a private network that only the server can see. Soes anyone with a twisted mind (meant in humor) see a way that this could be compromised _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - sensitive information securtrity
|
|
This is always a problem with web based applications. You _have_ to secure the app servers as a first priority, even when the database is on an internal only network (which is commonly the case). If an app server is breached then they'll be able to get the database access information, and use it through that box... I'm not sure if that is what you are referring to. These are actually fairly standard things considered in a production deployment. -David BJ Freeman wrote: > sub title CC security revisited. > In Summary the security of CC Info has been discussed. > it covered the encryption of the information, was well as the security > authentication provided by ofbiz. > > As long as the CC info is encrypted one way, there is not much concern. > However there is need for Getting the CC info back in readable form in > some cases. This creates a possible security whole. > > The application I am in mind is where the gateway service is sent the > partyID and only it can read the CC info. > > So if the OS is breached thru it own security hole, and admin, or super > user is gained. Or if someone is using the PC that ofbiz runs on for > Internet and gets a Trojan. Then the complete DB and application can be > retrieved. > > to further create security, I have implemented put the DB on a private > network that only the server can see. > > Soes anyone with a twisted mind (meant in humor) see a way that this > could be compromised > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
Re: Users - sensitive information securtrity
|
|
Thanks David,
Did not have any thought of ofbiz team doing anything. Had not thought of the compromised computer being used. Maybe do something on the DB side that is not apparent from the comprise computer's side. Like add a special key that is sent to the DB and the DB shuts down once this timesout, like when ofbiz is shutdown. Maybe put the db connections in java Then port only the compiled version to server. another idea is to recompile the kernel so the normal exploitations are not where they are expected. The fun is I get to be the twisted mind that attempts to break in, See how good i am on my systems. David E Jones sent the following on 5/18/06 7:47 PM: > This is always a problem with web based applications. You _have_ to secure the app servers as a first priority, even when the database is on an internal only network (which is commonly the case). If an app server is breached then they'll be able to get the database access information, and use it through that box... I'm not sure if that is what you are referring to. These are actually fairly standard things considered in a production deployment. > > -David > > > BJ Freeman wrote: > >>sub title CC security revisited. >>In Summary the security of CC Info has been discussed. >>it covered the encryption of the information, was well as the security >>authentication provided by ofbiz. >> >>As long as the CC info is encrypted one way, there is not much concern. >>However there is need for Getting the CC info back in readable form in >>some cases. This creates a possible security whole. >> >>The application I am in mind is where the gateway service is sent the >>partyID and only it can read the CC info. >> >>So if the OS is breached thru it own security hole, and admin, or super >>user is gained. Or if someone is using the PC that ofbiz runs on for >>Internet and gets a Trojan. Then the complete DB and application can be >>retrieved. >> >>to further create security, I have implemented put the DB on a private >>network that only the server can see. >> >>Soes anyone with a twisted mind (meant in humor) see a way that this >>could be compromised >> >>_______________________________________________ >>Users mailing list >>[hidden email] >>http://lists.ofbiz.org/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > [hidden email] > http://lists.ofbiz.org/mailman/listinfo/users > _______________________________________________ Users mailing list [hidden email] http://lists.ofbiz.org/mailman/listinfo/users |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |