[errai-dev] fine grained authentication

[Eric Wittmann]

+1#2

On 06/20/2013 05:48 AM, Erik Jan de Wit wrote:
> Hi,
>
> So I've worked some more on fine grained security and I've come up with
> the following inspired by picket link:
>
> public interface RequestPermissionResolver {
> public enum PermissionStatus {
> ALLOW, DENY, NOT_APPLICABLE
> }
> /**
> * Tests if the currently authenticated user has permission to 'see' the
> specified page request.
> *
> * @param user the user to validate the pageRequest for
> * @param pageRequest The pageRequest for which the permission is required
> * @return ALLOW if the current user has the permission DENY or
> NOT_APPLICABLE.
> */
> PermissionStatus hasPermission(User user, PageRequest pageRequest);
>
>
> The PageRequest contains the name of the page and the state. By
> implementing this interface the user can create logic if he wants to
> show the page that is about to get shown to the user or not.
>
> The only problem I have now is what should we do when the user decides
> not to show the page? I can see 4 possibilities:
>
> 1. Create a message that is shown on the interface somewhere
> The problems with this are, what message to show should be translatable
> and where / how to show it, must
> also be customisable. Could also be helpful as a general error message
> framework?
>
> 2. Navigate to other page
> We could navigate to an other page, with a role SecurityError or
> something like that. This will mean the user
> has full control of what will be shown when security errors occur.
>
> 3. We redirect to the login page
> This is kinda strange because one is already logged in and if there is
> no message this is not really helping
>
> 4. Throw an exception
> This is also not really helping as there is no way for the user to do
> something at this point.
>
> What do you guys think?
>
> Cheers,
> Erik Jan
>
>
>
>
> _______________________________________________
> errai-dev mailing list
> errai-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/errai-dev
>