Security in a standalone application on Windows

**Patrick Vanhuyse** · Mar 10th, 2005, 02:27 AM

I want to use Acegi to protect my domain objects at method level using role based security.
I can retrieve the user name and granted authorities from the OS.
How can I inject these informations into Acegi ?

I have to manage the concept of ownership. Some actions are only available to the owner of the object. I would like to have a ROLE_OWNER and give it the rights.
How can I do that dynamic stuff ?

With Acegi, if I call a secured method and the authenticated user has not the rights to execute the method, an exception is thrown.
Is it possible to test if the user has the right without calling the method ?

**Ben Alex** · Mar 10th, 2005, 05:45 AM

To inject Windows authentication information, you could always delegate to a JAAS LoginModule that can access the details and then use Acegi Security's JaasAuthenticationProvider. See http://acegisecurity.sourceforge.net...-provider-jaas for more details.

In terms of checking a user has a permission before calling a method, the easiest way would be to:

Code:

Authentication auth = SecureContextUtils.getSecureContext&#40;&#41;.getAuthentication&#40;&#41;
// then iterate auth.getAuthorities&#40;&#41; for the expected/required role

If the permissions are from an ACL permission (as opposed to a permission granted via the Authentication's GrantedAuthority[]s) you will need to access to AclManager. Most people tend to add some simple methods to their services layer, such as isAllowedDelete(Object domainObject), which is a void no-op method, but allows a quick check of permissions before sending it to the actual services layer. This is quite efficient, as ACL entries are cached in memory and not reaccessed from the DAO.

**Patrick Vanhuyse** · Mar 10th, 2005, 06:54 AM

Originally Posted by Ben Alex

In terms of checking a user has a permission before calling a method, the easiest way would be to:

Code:

Authentication auth = SecureContextUtils.getSecureContext&#40;&#41;.getAuthentication&#40;&#41;
// then iterate auth.getAuthorities&#40;&#41; for the expected/required role

Yes but I don't want the roles to appear in my code.

http://acegisecurity.sourceforge.net seems to be currently unavailable !

**Ben Alex** · Mar 10th, 2005, 07:47 PM

The web site is up now; I just tried. Probably a SourceForge problem.

If you don't want hard-coded roles in your code (which is fair enough) you'll need to use the services layer no-op methods I mentioned in my previous post. This is more often used with ACL security (as it's more complex to check permissions easily from code and without doing an invocation), but there's nothing wrong with using it for roles as well.

**Patrick Vanhuyse** · Mar 11th, 2005, 02:50 AM

If I understand, I create a dummy method which needs the same rights as the true method and use the dummy to test the access.

**Ben Alex** · Mar 13th, 2005, 03:08 PM

Originally Posted by Patrick Vanhuyse

If I understand, I create a dummy method which needs the same rights as the true method and use the dummy to test the access.

That's right. I know it seems a bit contrived, but if you need to know sufficient permissions exist to invoke a method, and you don't want to check the permissions list manually in your code, it's really the only way you can do it.

Thread: Security in a standalone application on Windows

Thread Tools

Display

Security in a standalone application on Windows

Similar Threads

Acegi Security for Swing Client, right tool for the job ?

Security accross popups and new browser windows

Use acegi in a standalone application

Questioning the core component

Using JMS with XA transactions in a standalone application

Posting Permissions