[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [soteria-dev] Programmatically change roles
|
Hi Ulrich,
Regards,
Guillermo González de Agüero
Hi Arjan,
thanks for the link, that's interesting.
I hassle the last days with user/roles and such topics and I think, the
real problem is, that the "isUserInRole"-thing is not really practical.
Because, the information, which I want the server to ask is: "has this
user the right to access that resource"... where resource is perhaps a
REST-Endpoint, a specific URL-pattern or if using a JSF-page, this could
be a simple HTML-button or Text-field.
In the case of JSF-pages, it is directly visible, that the frontend-page
needs to much information about the application. If I want a user not to
show this button, I have to know, which roles there are definied and
then I can prepare a complicated
"rendered=#{request.isUserInRole('RoleA') and
request.isUserInRole('RoleB')} statement.
Second option is, that I have a backing-bean method, which handles this.
But, in every case, I need to know, which role has which permission in
order to describe an appropriate statement.
The next option is to introduce JASPIC or something like that. But as
everyone know and you wrote it in your article from last mail, there is
very much to do in order to setup even simplest things for permission
handling.
In my opinion, but please correct me, if I miss anything, it would be
cool, if there will be a method like "boolean hasPermission(Object
caller)" in addition to "isUserInRole". And then this method or another
from an interface, has to be implemented like this it is done with the
IdentityStore and AuthenticatrionMechanism. The
Identity/AuthenticationMechanism is now very cool solved and a great
simplification against former specification. And for simple things the
same would be cool for "permissions".
Kind regards
Ulrich
Am 06.10.18 um 14:39 schrieb arjan tijms:
> Hi,
>
> Just declaring roles at startup can be programmatically done via
> ServletContext#declareRoles, but this is static (only at startup time)
> and doesn't allow you to associate permissions with this.
>
> It's *basically* possible to do it dynamically as well. I
> approximately implemented a prototype for this that was intended to be
> in EE Security 1.0, but since we spent all the little time that we had
> on finalising the functionality that's in EE Security now, I never
> started the discussion about this really.
>
> See
> https://arjan-tijms.omnifaces.org/2016/07/simplified-custom-authorization-rules.html
>
> I talks about this SO question that approximately asks for what you're
> also asking for:
> https://stackoverflow.com/questions/27341665/is-it-possible-to-determine-group-membership-of-a-user-on-demand-instead-of-when
>
> A related question is to add permissions like one can now declare
> roles. We talked about that before, and for a moment it seemed default
> JACC could do that, but it's not that clear cut.
>
> Kind regards,
> Arjan
>
