http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Simon, Yes, RS is infrastructure. How you use it isn't. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment22http://ayende.com/4559/real-world-authorization-implementation-considerations#comment22Wed, 04 Aug 2010 07:54:56 GMTSo Rhino Security _IS_ infrastructure too? TBH I think the debt collection example you use could be better defined with a fairly a simple Workflow process, this would limit the "negotiators" by virtue of the actors you set on the "negotiate" activity. You map the Workflow to a "case" entity, this also allows you to delegate to someone not normally permitted by the value rules (for example someone may have experience with that sector, and you feel they may be able to better extract the money) It also gives you a baked in mechanism for things like escalation and periodic chase ups.... (as well as maintaining the same security model for the case's lifetime) In this case your assertion is correct the Workflow design _IS_ specialised to that task, and therefore not Infrastructure. :) Now we just need a Workflow engine that can handle this... WF4 is not it! Si http://ayende.com/4559/real-world-authorization-implementation-considerations#comment21http://ayende.com/4559/real-world-authorization-implementation-considerations#comment21Wed, 04 Aug 2010 06:36:47 GMTSimon, Infrastructure to me mean code that isn't tied to a particular project. In other words, if you have code that you can use in two projects, it is infrastructure http://ayende.com/4559/real-world-authorization-implementation-considerations#comment20http://ayende.com/4559/real-world-authorization-implementation-considerations#comment20Tue, 03 Aug 2010 23:13:06 GMTSecond blog comment in one day (massively unusual for me) Trying to clarify your distinction between infrastucture and framework. I take it you mean "Infrastructure" as in o/s, db, .... both of which are ultimately frameworks anyway? All are exposing a security model, it's just Rhino's is better than the SQL Server / AD, or am I missing a point. (Quite possibly) I would like to see a security model that maps not only entities, but inferred rights imbued due to relationships (both explicit and inferred). Ultimately the "user / security principle" is an entity, the relationship it has with other entities should drive what actions it can perform. E.g you become a manager on a project, you should now be able to see the names of the other people that are team members on the project. Still anything is better than SharePoint's ISecurityTrimmer, and the ugliness of returning 1,000,000 needless items to just discard 999.999 due to permision constraints :) Si http://ayende.com/4559/real-world-authorization-implementation-considerations#comment19http://ayende.com/4559/real-world-authorization-implementation-considerations#comment19Tue, 03 Aug 2010 21:36:08 GMTI've looked at Rhino Security a little bit when you posted previously about it. The operation view of things looks similar to how AzMan works. The one thing that RS adds that is lacking with AzMan is that you pass the entity along which provides powerful context for authorization. In our current project we've had two instances (could be more yet) where the entity involved in the operation mattered and we had to implement a solution over top of AzMan. Overall though I much prefer the operation-based authorization instead of role-based for systems of any complexity. Good things to keep in mind here though. Thanks. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment18http://ayende.com/4559/real-world-authorization-implementation-considerations#comment18Fri, 30 Jul 2010 17:36:05 GMTI didn't look at Rhino Security until now but I have a restriction to use it. I work at a company and we use few third party frameworks and libraries as possible. You know. Today we use only NH, but I will take a look at RS. Thanks http://ayende.com/4559/real-world-authorization-implementation-considerations#comment17http://ayende.com/4559/real-world-authorization-implementation-considerations#comment17Mon, 26 Jul 2010 20:03:32 GMTCassio, NH Filters aren't suitable for that. You probably want to look at Rhino Security, which does all of that for you. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment16http://ayende.com/4559/real-world-authorization-implementation-considerations#comment16Mon, 26 Jul 2010 19:32:38 GMTAyende, I don't know if you remember but I discussed with you and Fabio about NH filtering subclasses - I had to do it by myself. I had exactly these kind of problems of authorization (filtering) and I wanted to use NH filters. The advantage to use NH filters is because they're simple to disable in case of a super admin user, for example. But they need more power in my opinion. This reminds me that I complained about one more thing. I have to enable or disable them in my GetSession() method, where I don't have too much information about the context. So I asked you to create a new event where I could enable or disable filters just before NH build the query. Do you remember? What do you think? http://ayende.com/4559/real-world-authorization-implementation-considerations#comment15http://ayende.com/4559/real-world-authorization-implementation-considerations#comment15Mon, 26 Jul 2010 19:20:33 GMTThat truely clarifies your point of view. I'll think about it :) Take care http://ayende.com/4559/real-world-authorization-implementation-considerations#comment14http://ayende.com/4559/real-world-authorization-implementation-considerations#comment14Mon, 26 Jul 2010 17:03:13 GMTSzymon, Not that way, no. That invert the association, because that states what the CONDITIONS for the operation are. I don't care about this, I want to state if the op is permitted, and the condition executed by the infrastructure. Something like: Security.IsAllowed("/Order/Approve", entity, user) http://ayende.com/4559/real-world-authorization-implementation-considerations#comment13http://ayende.com/4559/real-world-authorization-implementation-considerations#comment13Mon, 26 Jul 2010 08:46:54 GMTAyende, by saying 'a _lot of different context' I understand a logic operation (for instance: concatenation) on the mentioned conditions. Would you express them as a composite condition, like (using specifications) if (new IsCustomerGoldSpec (customer) && new HitOrderLimit(customer)) in your code, or maybe you would try to hide it in some way? http://ayende.com/4559/real-world-authorization-implementation-considerations#comment12http://ayende.com/4559/real-world-authorization-implementation-considerations#comment12Mon, 26 Jul 2010 08:22:28 GMTSzymon, _How_ you implement filtering is a separate topic. Yes, you certainly want _that_ to be an infrastructure piece. But the problem is how you provide enough context to make things useful. As for the idea of a scope. Consider how much more messy it is to write the code for the second scenario that I have in the post with explicit scopes. Then consider the fact that this is a highly simplified scenario, and real world scenarios may requires a _lot_ of different contexts for different parts of the operation http://ayende.com/4559/real-world-authorization-implementation-considerations#comment11http://ayende.com/4559/real-world-authorization-implementation-considerations#comment11Sat, 24 Jul 2010 11:36:40 GMTHave you considered moving the authorization to the infrastructure partially? For instance viewing rights can be easily implemented as filters for quering. I took part in implementing a system, where, for the specific cases, even some properties could have been configured, to be shown/hidden. Speaking about the context, have you ever tried move the authorization to the infrastructure and use some kind of a scope, as the current operation context provider? http://ayende.com/4559/real-world-authorization-implementation-considerations#comment10http://ayende.com/4559/real-world-authorization-implementation-considerations#comment10Sat, 24 Jul 2010 11:33:25 GMTConfigurator, LAN app talking to a DB directly have only two modes: There is not security (since the users can connect to the DB directly and issue whatever query they want) There is a need for security, and the only way to apply it (and business rules, for that matter) is in the infrastructure. That means either using some Row Level Security feature or stored procedures. I outlined the problems with infrastructure level security in this post, and I think that the problems with SP are well documented by now. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment9http://ayende.com/4559/real-world-authorization-implementation-considerations#comment9Fri, 23 Jul 2010 19:44:42 GMTHi configurator. >Why should a Winforms LAN app never talk to the DB directly? it is not secure because every user of your app has direct access to the DB server. But....You gotta do what you gotta do. Besides that, Ayende's post has more concern about enterprise applications. At least I think it is. lol. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment8http://ayende.com/4559/real-world-authorization-implementation-considerations#comment8Fri, 23 Jul 2010 18:59:03 GMTWhy should a Winforms LAN app never talk to the DB directly? And who says a single machine is the same as a single user? http://ayende.com/4559/real-world-authorization-implementation-considerations#comment7http://ayende.com/4559/real-world-authorization-implementation-considerations#comment7Fri, 23 Jul 2010 17:30:56 GMTDavid, The place to ask is in the rhino tools dev mailing list http://ayende.com/4559/real-world-authorization-implementation-considerations#comment6http://ayende.com/4559/real-world-authorization-implementation-considerations#comment6Fri, 23 Jul 2010 13:29:58 GMTConfigurator, A single user app uses no security. A multi user app shouldn't talk directly to a DB, that arch died in the mid 90s http://ayende.com/4559/real-world-authorization-implementation-considerations#comment5http://ayende.com/4559/real-world-authorization-implementation-considerations#comment5Fri, 23 Jul 2010 13:29:40 GMTAyende, You mentioned Rhino security. I love it, but I want to use Linq (not ICriteria). Do you think you will ever modify it for Linq or do you know if anyone else already has? Thanks. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment4http://ayende.com/4559/real-world-authorization-implementation-considerations#comment4Fri, 23 Jul 2010 13:14:57 GMTI too agree with the point of the article, but you seem to be ignoring a major software use-case - not all software runs on a webserver. There could be client (winforms) apps that connect to the database. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment3http://ayende.com/4559/real-world-authorization-implementation-considerations#comment3Fri, 23 Jul 2010 12:43:17 GMTLL, That is a good point, which I assume resolve the problem of connection pooling. http://ayende.com/4559/real-world-authorization-implementation-considerations#comment2http://ayende.com/4559/real-world-authorization-implementation-considerations#comment2Fri, 23 Jul 2010 09:43:07 GMTHi, One correction: Oracle (and possibly other databases as well) has the concept of a _proxy user_, which allows application servers to login with one set of credentials _on behalf_ of other users. The combination of proxy users, row-level security and connection pools works quite well in Oracle. This does not invalidate the general point of the article, with which I fully agree. LL http://ayende.com/4559/real-world-authorization-implementation-considerations#comment1http://ayende.com/4559/real-world-authorization-implementation-considerations#comment1Fri, 23 Jul 2010 09:21:56 GMT