AND or OR roles filters ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

AND or OR roles filters ?

jcvidal
Hi,

I'm using Ki in an unusual way (with configuration in XML file instead of Web.xml ini-file-like conf).
That's not the point (all is working well), but trying different scenarios, i found a weird behaviour.

Let's say there is in the conf file a line like this :

/blabla/** = authc, roles[admin,superadmin]

In my mind, this means : (authenticated) user with admin role OR superadmin role may access to /blabla/**
I fact, it seems to be  : user with admin role AND superadmin role may access to /blabla/**

Am i right or am i wrong ?

Obviously, the next question is : if the AND behaviour is the standard one, how to have a OR behaviour ?



Best regards

Jean-Charles
Reply | Threaded
Open this post in threaded view
|

Re: AND or OR roles filters ?

Les Hazlewood-2
Hi Jean-Charles,

We don't support logical expressions in text configuration at the moment (please add a Jira issue if you'd like to see this feature!).

Currently most people use Permissions for this type of model, since they are much finer grained and allow you really customizable security policies.

That is, you might see the following:

/blabla/** = authc, perms[user:create]

That way it doesn't matter what roles they have as long as at least one of the roles to which they're assigned implies the 'user:create' permission.

I don't disagree it could be useful to support what you mention (text-based config with logical expressions for roles and/or permission checks), but if you think about it, its not entirely easy - we'd need to come up with a parsing/expression grammar that could parse your logical expression string and convert that into a security check. 

Its not very simple - we'd probably have to use something like antlr, and even then, I'm not sure that should be a required dependency.  But, if you like, open a Jira issue and we could discuss it :)

Cheers,

Les

On Wed, Apr 29, 2009 at 12:08 PM, jcvidal <[hidden email]> wrote:

Hi,

I'm using Ki in an unusual way (with configuration in XML file instead of
Web.xml ini-file-like conf).
That's not the point (all is working well), but trying different scenarios,
i found a weird behaviour.

Let's say there is in the conf file a line like this :

/blabla/** = authc, roles[admin,superadmin]

In my mind, this means : (authenticated) user with admin role OR superadmin
role may access to /blabla/**
I fact, it seems to be  : user with admin role AND superadmin role may
access to /blabla/**

Am i right or am i wrong ?

Obviously, the next question is : if the AND behaviour is the standard one,
how to have a OR behaviour ?



Best regards

Jean-Charles

--
View this message in context: http://n2.nabble.com/AND-or-OR-roles-filters---tp2741505p2741505.html
Sent from the JSecurity User mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|

Re: AND or OR roles filters ?

jcvidal
Hi Les

You're right : it won't be simple. I already thought about permissions, but it's a little bit too granular :)
I'm thinking about the JIRA, but not for now ....

Thanks a lot for your help

Best regards

Jean-Charles


Les Hazlewood-2 wrote
Hi Jean-Charles,

We don't support logical expressions in text configuration at the moment
(please add a Jira issue if you'd like to see this feature!).

Currently most people use Permissions for this type of model, since they are
much finer grained and allow you really customizable security policies.

That is, you might see the following:

/blabla/** = authc, perms[user:create]

That way it doesn't matter what roles they have as long as at least one of
the roles to which they're assigned implies the 'user:create' permission.

I don't disagree it could be useful to support what you mention (text-based
config with logical expressions for roles and/or permission checks), but if
you think about it, its not entirely easy - we'd need to come up with a
parsing/expression grammar that could parse your logical expression string
and convert that into a security check.

Its not very simple - we'd probably have to use something like antlr, and
even then, I'm not sure that should be a required dependency.  But, if you
like, open a Jira issue and we could discuss it :)

Cheers,

Les

On Wed, Apr 29, 2009 at 12:08 PM, jcvidal <jcvidal@improve.fr> wrote:

>
> Hi,
>
> I'm using Ki in an unusual way (with configuration in XML file instead of
> Web.xml ini-file-like conf).
> That's not the point (all is working well), but trying different scenarios,
> i found a weird behaviour.
>
> Let's say there is in the conf file a line like this :
>
> /blabla/** = authc, roles[admin,superadmin]
>
> In my mind, this means : (authenticated) user with admin role OR superadmin
> role may access to /blabla/**
> I fact, it seems to be  : user with admin role AND superadmin role may
> access to /blabla/**
>
> Am i right or am i wrong ?
>
> Obviously, the next question is : if the AND behaviour is the standard one,
> how to have a OR behaviour ?
>
>
>
> Best regards
>
> Jean-Charles
>
> --
> View this message in context:
> http://n2.nabble.com/AND-or-OR-roles-filters---tp2741505p2741505.html
> Sent from the JSecurity User mailing list archive at Nabble.com.
>
>