lost in Dynamic Authorization

Hello,

I post here after begging people to
please understand my problem first and ofcourse, for quicker response.this is what I need to achieve:
It is about dynamic authorization.

My application will have an admin page where the admin will be able to give access rights to users for certain actions on certain pages. these could be any permutation and combination.
I need to be able to authorize them based on this condition.
For example :
If it were a mechanic application.
The admin will be able to authorize MechA to be able to perform "Add, Delete" actions on garage A, but only VIEW rights on garage B.
similarly MechB to be able to only "ADD" in garage A, but ADD,DELETE in garageB.Again, the number of garages can be many. the admin will be able to add a garage and delete a garage.
(ofcourse, based on the current access rights they have, the JSP will display those current access rights)
I have poured over google search and forums and security frameworks to decide on an approach for this.

I initially had thought that I will have a table which will have two cols USER and PERMISSIONS.
where users would be the suers and permissions would be URLs. Ex. :

mechA | garageA/add.jsp
mechA | garageA/delete.jsp
mechA | garageb/view.jsp

However, this premature understanding will not work because of obvious reasons (if I need to update or delete the URL for the user.. I am screwing up everything).
Then, now I am thinking of an XML based authorization now. where the parent node will be the user name and his child nodes will be the URLs he has access to. Though i have not worked on this, I know this will be of no use, because my application will have the capability to switch between a db and LDAP. I have very little knowledge of LDAP though.

No secuirty framework is going to be of help ( i have looked extensively through JAAS and Acegi).
because they function majorly on ROLES. In my case I have no ROLES at all :-(

I have been pulling my hair out trying for a solution for this kind of a configurable scenario, where the user base could be on a DB and on LDAP.
Any ideas/help/pointers towards an approach would be highly appreciated.

thanks in advance for your time.

First, I'd recommend revisiting that "no roles" decision. What if you build up a complex set of permissions for one person, then hire a new person and want to make their permissions the same? Would you rather give the new person one role or set up dozens of detailed new permissions? Now if you have ten people with that role and you add a new page that they can see, would you rather update ten person profiles or one role?

Consider an Access Control List or ACL. Google for how the rules work in Unix systems - emulating that would probably be a good thing. To see if Bob can modify resource X execute query (against db or objects in memory) that gives you back all of Bob's relationships to X, then choose the most restrictive. So if RoleA gives Bob permission to execute X and RoleB denies permission, RoleB wins and Bob is out of luck. That lets you give a new hire an existing role and add a few exceptions.

Regarding your db or LDAP quandry ... isolate the dependency on the storage mechanism to one class. The rest of your system doesn't need to know or care which one you use. Make an interface to retrieve permissions, build one implementation for JDBC and another for LDAP. You can load one or the other based on configuration at startup or on each call.
PermissionManager pm = null; public void setUp() { String className = configuration.get("permissionmanager"); pm = (PermissionManager)Class.forName(className).newInstance(); }
[ August 05, 2007: Message edited by: Stan James ]

Hello,

Here, the tricky part is that the allowed actions for a role are not standard and they change based on individual users. For example, the Mechanic A might require add,update and delete permissions, but the Mechanic B might require update,view, and delete permissions.

Here is my thought about the schema and object design to solve the problem:

Table: Object (Stores the object names)
1. Garage
2. Generator Room

Table: Action (Stores all possible actions)
1. Add
2. View
3. Update
4. Delete

Table: ObjectActionPage (Mapping among Object, Action, and JSP page)

1. Garage Add GAdd.jsp
2. Garage View GView.jsp
3. Garage Update GUpdate.jsp
4. Garage Delete GRDelete.jsp

5. Generator Room Add GRAdd.jsp
6. Generator Room View GRView.jsp
7. Generator Room Update GRUpdate.jsp
8. Generator Room Delete GRDelete.sp

(The advantage of above design is that anytime the page name for any action and object combination gets changed, you update only few records on this table, rather than updating several records in user mapping table)

Table: UserObjectActionPage

UserID ObjectActionPage ID

Mechanic1 1 (The Mechanic1 will have Add permission on Garage)
Mechanic1 3 (The Mechanic1 will have Update permission on Garage)
Mechanic1 4 (The Mechanic1 will have Delete permission on Garage)
Mechanic1 6 (The Mechanic1 will have View permission on Generator Room)


Mechanic2 2 (The Mechanic2 will have View permission on Garage)
Mechanic2 3 (The Mechanic1 will have Update permission on Garage)
Mechanic2 4 (The Mechanic1 will have Delete permission on Garage)


Will it work for your requirements?

Regards,
Krishna

First, Thank you so much for the quick replies.
@Stan: I will surely have groups (but no ROLES) which will have static access permissions. Users can be added to these groups and they will have the same access rights. The problem is with the configurability and the requirement that a user can be an individual, or be a part of a group, or be a part of the group but also additional access rights as the admin wishes.
@krishna: You have hit the nail on the head. You have perfectly understood my dilema. My mind is not able to think further on this now. I had actually thought of, your design.

>>Table: ObjectActionPage (Mapping among Object, Action, and JSP page)

But didnt take it further because I didnt know how I will map Garage internals with this kind of a design.
I plan to authorize on basis of URLS. with this approach I can probably authorize a user only like : garageA/edit.jsp
A mech1 can be authorized to handle types of carA and mech2 to be able to handle type carB
So eventually my URL would probably look like :garageA/accessright/carType/add.jsp

Any changes in your approach that you might want to help me understand this ?


thanks in advance for your time

P.S: Can I also use this approach for LDAP ? ( all i kno about LDAP is that I can have a username and a paswsword and a ROLE for a user )

My thoughts :

XML file based authorization !!!

This is what I was able to come up with. :
1.XML:
<access>
<user>
<name>
<URL1>
<URL2>
<URL3>
</user>
</access>

Here I will give complete URLs against every single user. The URL will ofcourse be of the functionality associated to it like add.jsp, view.jsp delete.jsp. where in, I can parse this XML and populate a map with key as user and URLs as value and keep checking it.

All this will be administered through an admin page. where once a user is selected, his access.Based on these URLs I will also display the current access rights given to the user.

There might also be groups for certain users.A user can be in a group or individual, or both.

2.XML:
<group>
<name>
<URL1>
<URL2>
</name>
<users>
<name>
</name>
</users>
</group>



1)Alghough I have not implemented something like this before.. I hope adding a URL node and deleting a URL node from the <user> shouldnt be a problem.
If we have a file based auhentication system like this, we can simly use the DB and LDAP only for authentication purposes.
What do you all think about this ?