[jboss-dev-forums] [JBoss AS 7 Development] - Access control notes
Darran Lofthouse
do-not-reply at jboss.com
Tue Apr 23 05:45:37 EDT 2013
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] commented on the document
"Access control notes"
To view all comments on this document, visit: https://community.jboss.org/docs/DOC-48596#comment-11935
--------------------------------------------------
Two more thoughts to add: -
1 - Operations that go on to other things i.e. if an operation updates other attributes or calls other operations does it automatically have access or still perform access control check as the user?
i.e. May want to stop a user from modifying indivudal attributes but let them call an operation that updates multiple at once.
2 - Pre-flight checks will be good but still need to consider the request may still fail authorization.
A users group membership may not be static.
Permissions on the server could be updated.
--------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20130423/e9b32961/attachment.html
More information about the jboss-dev-forums
mailing list