4

I have a PHP application which has an access control mechanism based on the navigation-id's of the single pages. So a user may have access to pages 1, 4, 5, for example. Navigation-id's are not static, new pages (and therefore new nav-id's) may be generated by admin-user. And I have some kind of a service oriented architecture. So I have services which are called from the client by JSON but also from server-side by PHP-classes (controllers) directly. The problem I have is, I need a access control mechanism for the services. And I'd like to have it separated from the services itself.

The services are returning business objects. All this BO's have some "connection" to an object, which has a navigation id. e.g. service returns images: Image.page-->Page.navID or service returns dimensions (n-n): Dimension-->DimImageConnector-->Image.page-->Page.navID.

I can't imagine a clean solution to check access rights. To search for a navigation-id in the business objects doesen't seem to be a very good and simple solution.

It would be nice to have some input for my access control architecture.

Thank you!

BTW: I'm using an annotation framework, so one possibility is to specify some access information right by the service method.

Improve this question
4
  • Can't it be solved with kind of an ACL? Commented Nov 11, 2010 at 13:02
  • The resource should probably define, what user groups have access to it or sub parts of it. Which would include a proper ACL setup. Commented Nov 11, 2010 at 13:44
  • Maybe I need to be more detailed. E.g. i have a module called news. So there may be more than one pages (with navigation-id's) which use this module. One user has permission to one page, another user has permission to the other page. But i have only one service, let's call it NewsEntryLoader. So both pages call the service. ... Commented Nov 11, 2010 at 14:37
  • How should i check the rights of the user? I need to check, to which of the News-Entries the current user has access. Of course, i could check it in the service itself (because the NewsEntry-Object have a relation to the page), but if possible i want to check rights generic outside the service itself. Commented Nov 11, 2010 at 14:38

2 Answers 2

Reset to default
1

My idea is a bit complicated to implement, but I think it solves the problem. It has one problem with your request, and is that is not separeted of the services per se.

Imagine this idea. You have a base service class with a method IsCallable returning if the current user can call the service.

From that service class you inherit, NonAuthenticatedService and AuthenticatedService. After you have that, you need only to create a service factory to retrieve services and call them.

Here I leave a graphical idea of my toughts. Sorry for the graphics, it's just Power Point, because Im not a fan of CASE Tools. :)

Sample Hierarchy

Hope I can help!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

If the nav-ids change and permissions are based on nav-ids then you'll have to remap all the nav-ids whenever they change.

Probably the easiest method would be to have a table that matches users to pages (not nav-ids). You might modify what you have or create a new table. Then have another table that maps the pages to their current nav-id. To check whether a user has access, you join the two tables.

Then all you need to do is update the mapping table whenever the nav-ids change.

I would recommend investigating a method by which the nav-ids will not change. Alternatively, add a static id to be used with the nav-id. That way you can just reference the static ids and let the nav-ids change as much as they want.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.