Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    security, roles and entrypoints question

    Hi,

    thinking about how to secure my app best. I currently have spring security set up and working nicely. I'm using spring web services as the datasource endpoints and have methodbased security.

    However, i have a couple of different client roles "user", "reporter" "admin", etc and there's, of course, a requirement that the users should have different views and different operations available depending on the role.

    A simple example is that an "system events" tab is only visible to admins, or that an "edit" button should be greyed out for all but admins.


    The thing i'm wondering about is this - if i enforce this through the same entrypoint (for example, by having a switch in the "onmoduleload" that calls a different "view-setup-class" depending on the role, all client-side logic is still downloaded and potentially visible for all users, regardless of the role.

    If i for example wouldn't want "reporter" user to know that it's possible to view a systemlog, i'd have to have different entrypoints, right?

    Thoughts? Perhaps i'm too paranoid... :)
    Tags: None
    #2
    Hi,

    Did you get a response for your issue?
    I am facing the same situation and I cannot find a feasible solution.

    Thank you,
    Angel

    Comment

      #3
      Why is it important to not have the client-side code available when a user is not in a role? In other words, just show/hide things that are available/not available based on the role. You can add a DataSource to pull the privileges from the server and use them on the client to render the changes based on role.

      Comment

        #4
        the security of the frontend is not importantat all, just hide/show elements, because we are talking about security , the important is the webservice side, because bypass this "security" is so easy than take the http request, and for example is the logged user is "normal" the admin page must not be loaded with data.. all security must be in the webservice, if the user bypass frontend security doesnt care because webrservice will not privide data.

        My apps have this logic:
        - core: addwindowmodule(ID); if id is 1 then add(respectivemodule).
        - left menu: tree on click addwindowmodule ( id node )
        - anywhere menu: on click addwindowmodule ( )

        any event how call an module must call core.. if a user bypass this logic, no problem he cant see anything because webservice will not give data.

        Comment

        Previous template Next
        Working...
        X