access control or access management system
I am working on a client server application where the client is built using flex. It comprises of various widgets, screens, button and tabs all of which can be qualified as a resources. Each of these resource would have access permissions. For example Screen A might have three buttons B, C and D. A user alpha might just have permissions or access to D only. So when the user alpha logs in, he sends a request to the server. After authentication the server checks his permissions from the database, gets all the resources he is entitled to and forms an xml. The xml is then sent to the client which based on this xml would hide and show widgets. This scenario, as per my personal feeling is not very extensible, and as the application grows might prove too costly. With this in mind I am looking for some open source access management tools which might provide me with similar functionality.
I have looked at a few like Sun's XACML and Apache Lenya, however I am sure some of you might have hit a similar issue in the past and must have had some experiences. Wanted to check if you could share some of your experiences and if you used any other Open Source access management tool.
Did any of you use any rules engines for the purpose and if you did, was that better than using ACM?
Thanks in advance!!
[1328 byte] By [
kilyasa] at [2007-11-27 9:25:34]
I'm not terribly familiar with it, but in working with Spring, I've run across the following quite a bit:
http://www.acegisecurity.org/
I don't know if it will meet your specific requirements, but it might be worth a look.
[EDIT] Oh, I see that you're looking more for a CMS than a security model. Sorry if that was a red herring.
~
> I'm not terribly familiar with it, but in working
> with Spring, I've run across the following quite a
> bit:
>
> http://www.acegisecurity.org/
>
> I don't know if it will meet your specific
> requirements, but it might be worth a look.
>
> [EDIT] Oh, I see that you're looking more for a CMS
> than a security model. Sorry if that was a red
> herring.
>
> ~
I am using spring for DI and IOC as well and have looked at acegi as well. Though acegi provides a very good model for security it is mostly dealing with access to beans on the server side. Please correct me if I am wrong but thats my observation. My requirements however are mostly on the rendering side, as which widgets/resources to render and which not!!!! So it would be more of access management than authentication/authorization. I am not sure if there are any tools available for such a role based pattern!!?
I've done this kind of thing by following the pattern of the java Permissions stuff without actually using a SecurityManger as such.
You can create your own species of permissions, store them in a PermissionsCollection for each user (I load mine from database tables, or you could serialize).
Then use the "implies" mechanism to check when the program is deciding whether to provide a control or honour a request.
> I've done this kind of thing by following the pattern
> of the java Permissions stuff without actually using
> a SecurityManger as such.
>
> You can create your own species of permissions, store
> them in a PermissionsCollection for each user (I load
> mine from database tables, or you could serialize).
>
> Then use the "implies" mechanism to check when the
> program is deciding whether to provide a control or
> honour a request.
True!! the catch in this case is that the client is flex based and the navigation is decided on the client side, so even with permissions object you have to pass this information back to the client in some way possibly xml. Thats exactly what is being employed in this application right now.
What I am looking for is an open source tool for the purpose, which might have an admin page for assigning and removing permissions adding removing resources and which is scalable and extendible.
You could simply serialize the user's PermissionsCollection and pass it from server to client that way, as part of the login response.
> You could simply serialize the user's
> PermissionsCollection and pass it from server to
> client that way, as part of the login response.
Have you or anybody used Sun's XACML or Higgins and Bandit for the purpose and how did you find them from an implementation perspective.
