开发者

Object ACL and Channel Security

开发者 https://www.devze.com 2023-04-11 15:48 出处:网络
I\'m interested in building a web app using the play framework. I like what I see. However, upon reading the security documentation there only appears to be controller/action authentication using the
相关专题:playframeworksecurity

I'm interested in building a web app using the play framework. I like what I see. However, upon reading the security documentation there only appears to be controller/action authentication using the security module.

Can I ask if there is add authentication onto a model object? Similar to Spring Security ACLs开发者_运维知识库?

Also there is no mention of channel security in the module documentation, as I'd like to serve the web app over HTTPS when a user is authenticated and HTTP if there aren't.

Thanks for the info folks. The secure and dead bolt modules are for basic controller security, I'm looking for something with a little more power that rivals the likes of Spring Security.

I took a look at Apache Shiro and although it provides a much better security than the play framework modules it doesn't provide functionality to secure model objects similar to Spring Security's Domain Object ACL.

It just a pity there is no serious contenders in the java security space to rival Spring Security. If only Spring Security didn't depend on the Servlet API, I'd look to hook it into my Play Application.

  • Check the secure module which is used to secure the controller methods.

  • Although I have not used it there is also a module called deadbolt for authorisation.

  • The documentation/tutorial and examples are quite exhaustive. The tutorial takes you though adding authentication with secure.

  • Have a look at the security guide to give you an idea of how play approaches security.

  • Https is not a problem. In my experience better served by a reverse proxy like apache that serves your Play! app.

If you need a more granular security I would recommend using the security-permissions module. It allows you to define instance level access control (rather than a class level or group level) and it is based on drools.

A rule would look like this but you can customize the last line to match a specific user and the actions are custom as well so you can define your own.

/* Admins can only edit postcards and letters */
rule CanUserEditLetter
when
  $cs: Item(name == "letter")
  $c: PermissionCheck(target == $cs, action in ("delete", "update", "insert"))
  Role(name == "admin")
then
  $c.grant();
end
0

上一篇:

:下一篇

更多 问答 相关资讯:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

关注公众号

热门标签

图文推荐

Delphi - Custom drawing a message list

Delphi - Custom drawing a message list
C++ header-only include pattern

C++ header-only include pattern
IE7 Margin Collapses Into Padding

IE7 Margin Collapses Into Padding
in CoffeeScript, how can I use a variable as a key in a hash?

in CoffeeScript, how can I use a variable as a key in a hash?
Interactive visualization of a graph in python [closed]

Interactive visualization of a graph in python [closed]
How to customise PHP MYSQL tables?

How to customise PHP MYSQL tables?
High quality, simple random password generator

High quality, simple random password generator
Image Recognition ApI in android

Image Recognition ApI in android

开发者开发者网给大家分享系统运维,大数据运维,云计算,编程开发技巧,路由交换,运维和开发相关的资讯及技术文章,同时StackOverflow中文社区,知识经验交流分享。

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,如存在版权或非法内容,欢迎举报,我们将尽快予以删除。邮箱:devze@qq.com

Copyright © 2018-2020 开发者. All rights reserved. Powered by 开发者ICP备案号: 京ICP备10032868号-9