Welcome to the jGuard's wiki » jGuard Documentation » Authorization Mechanism

Authorization Mechanism

Last modified by RaffaelloPelagalli on 2007/01/24 11:41

Authorization Mechanism

Authorization part contains roles(roles link authentication and authorization parts), domains and permissions.

  • map your resources to permissions.
in a web application, you can see resources as URLs. jGuard provides a permission implementation based on URL: URLPermission.

permissions are a view of your ressources: it represents which actions you can do on your ressources. so, you can map one ressource(url) to a permission, or multiple resources(urls) to a permission.

note that you can protect your application with any java.security.permission subclasses, either permissions provided by JDK or jGuard, or custom permissions subclasses implemented by you.

  • some dynamic websites can have a huge amount of urls/resources to protect.
to fix this problem, you can regroup multiple resources in one permission, if their access rules are the same. to do that, you have to be aware of naming conventions used to create your urls.

URLPermission provided by jGuard, can use the regexp star pattern (*) to regroup permissions.

  • regroup permissions in domains
because you can have many permissions, jGuard propose to regroup them in domains. yuou should regroup permissions in domains, on a functional base. for example, all permissions related to invoice should be regrouped in the invoice domain.

if you think this mechanism is too refined, you can regroup all permissions in one unique big domain (each permission must be linked to only one domain).

  • map roles to permissions/domains
top have a flexible system, you have to map roles to permissions. you can map each permission to the roles, or map entire domains to roles (easier way). you can also map a role to some permissions and to some domains in a mix way.

  • what is the difference between role and domain?
domain and roles regroup both some permissions. but domain is related to functional resources, and role is related to organizational resources.

for example, a manager can view all of the team informations, but some parts of the financial informations. domain is related to website organization, but role is related to website, or/and to enterprise organization. the difference is subtle, but we think it is appropriate to provide these both notions to jGuard users (but you can drop the domain notion by creating only one domain).

role can contains multiple domains and permissions, and support mutiple inheritance, but domain cannot contains other domains and does not support multiple inheritance.

Tags:
Created by diabolo512 on 2006/06/16 18:06

jGuard team copyright 2004-2009
3.1.1