[Cosmo-dev] WebDAV ACL tasks separation and questions

[Brian Moseley]

On 1/6/07, Vinubalaji Gopal <vinu at osafoundation.org> wrote:

> can you give me examples on what you mean by this? do you mean
> programming different aspects to check for security before accessing
> different services?

possibly aspects, but i haven't wrapped my brain around the acegi AOP stuff yet.

also, i think that the service layer needs to explicitly document that
1) it can throw security exceptions when a client calls a method that
is not authorized for the current security context and 2) it can
refuse to return objects that are not accessible. to me, aspects are
not meant for this type of situation, but rather where their logic is
essentially independent of the apis they are wrapping. but again,
maybe i just haven't internalized AOP well enough yet.

anyway, for now i'm leaning towards implementing security checks and
instance filtering directly in the service implementation classes.

ex 1: a user is authenticated via a protocol and the handler calls
ContentDao.getItem(). that collection is owned by somebody else and
the logged in user does not have read permission on it, so the service
method throws AccessDeniedException.

ex 2: a ticket is provided to get all items in a collection for the
ui's dashboard view. the ticket has read permission on some items in
the collection but not all. only those the ticket has read permission
on are returned.

the 2nd example implies that we either:

1) wrap an aspect around Item.getChildren that filters the returned list
2) make Item.getChildren itself return a filtered list, or
3) make a service method that returns a filtered list given an item or uid

i favor 1 or 2 because they can be used transparently in jsps and
anywhere else that doesn't have access to the service layer. it seems
awkward to make model objects themselves make security decisions, so
this might be a place where AOP really is useful.

i realize i don't have any concrete answers for you. what do you think?