The Lazy Dev

Do less. Develop more.  
« Back to blog
Viewed 356 times
Favorited 0 times
September 14, 2009

Resource access in web sites: authorization

In the Java world when you talk about topic like security,
authentication, authorisation... everyone think about libraries like
Spring Security (ex ACEGI) and now someone at the new incubated Apache
Ki (formerly jSecurity). Many web framework like wicket that I use
have a support for the auth stuff in external modules.

 I do not feel good with this products because, like most java
libraries, are for very complicated environment and typically emerge
from years of experience building sophisticated web applications. They
are very generic in some aspects, especially about authorisation. They
offer a great support for authentication and for integration with
external sources. But on the authorisation side, I still miss
something.

 None of them tell me in any way what are the right way to use them.

 Now my experience is limited compare to whoever ever worked for ACEGI,
jSecurity or whatever. Regardless, I know some key aspect and I want
to simplify some kind of development.

 What I need typically is to
. authenticate user, one time
. authorise user: perform check about user being authorised to
read/write on some resource, every time is needed

 authenticate user is two step:
. verify user credentials and if they match,
. give the user an authentication with all its "permissions" associated

 authorise user is something like this:
. every time a session try to access a resource, we ask for the
session user and verify that the user has permission to read/write
that specific resource.

 I am focusing on resource access, on authorisation. What is a
resource? Till today I just have what I now call *system resources": a
link, a button, a portion of text. Everything that is already there at
the beginning of time. Then I have the "users resources"': everything
that is added to the system by a user. This second category is very
important these days with all this social-user-generated stuff.

 What I also noticed is that a typical method to implements
authorisation based on user-permission, is good both for system and
for users resources. What I need is to clarify the difference at the
application level.

 Given that this kind of distinction is typical in many application, I
can move to a share library that uses a low-level authorisation system
and give me something more related to a real domain to use. My bet is
that with this new level we gain clarity without losing flexibility
and gain a lot of productivity.

 I am working on an implementation that will grant me to have
users-level permissions on users-resources that is backed by the same
implementation I use for system resources. If I will get some
interesting results, I will publish something open source.

Comments (0)

Leave a comment...

 
To leave a comment on this posterous, please login by clicking one of the following.
Posterous-login     twitter