I am starting a new open source project:
http://code.google.com/p/dynamic-rule-security/
No code has been released yet, but I am hoping to have an alpha version out soon. The project integrates Drools Rule Engine with Spring Security to provide dynamic, rule based, field level ACL security to a system.
Once complete, the system administrator will be able to create business rules to restrict fields, objects, pages, content, whatever based on dynamic rules. But, that's not all. The current crop of security requires the security logic to be embedded with the code and is quite brittle and complex when security rules become very granular. For example, imagine having to implement a requirement that says when a trade belongs to account "abc" hide the trade from anyone not in group "abc-allowed". No problem, you say. You create the security group "abc-allowed". Now you have some choices regarding implementation, you can integrate the rule at the data retrieval layer, at the presentation tier, or in the middle. Either way, somewhere in your system, you'll have a chunk of code like this: if ( trade.account == "abc" && !isUserInRole("abc-allowed") ) then hide.
That was easy. Probably only took 10 minutes to write, 10 minutes to test, and a few days to get it deployed to production. No problem.
A few days go by, and the user comes back and says, I need to expand that security. It seems that group efg can actually see abc account trades but only when the trading amount is less than $50m. Ok, you say. A bit messy, but do-able. So, you create security group "efg-allowed", and change your prior rule to say:
if ( trade.account == "abc" && (!isUserInRole("abc-allowed") && ( trade.amount > 50 && !(isUserInRole("efg-allowed") ) then hide.
Probably only took 10 minutes to code, and another 10 minutes to test, but damn there is QA, UAT, production release. A few days later, you finally release the new feature.
Aren't you glad that's over. A few more days go by, and the user says, wait, he forgot that the efg group can't change the trader name on the trade, and can't see the counterparty, but should be able to see and change everything else. Oh, one more thing, they can change the trader name if the trader is "Jack", because trader Jack's accounts are actually managed by the efg group even if the account belongs to the "abc" group.
Crap you say, that's going to be a bit of work. You may need to change the presentation tier, to hide the fields in some cases, but not others. And boy, how much does it suck to hard code the trader's name somewhere.
Anyways, you get the point. Security Rules may get very complex and very specific to the data they interact with and the context of the request. This means that the rule needs to be aware of the data, and who is requesting it. The rule is then capable of setting the security ACL. The presentation tier then only needs to worry about following the ACL rather than actually dealing with the security rules themselves. Not only that, but security rules will be in a single place rather than being sprinkled throughout the system. You can also change them on the fly allowing you to react very quickly to additional security requests.
Subscribe to:
Post Comments (Atom)
3 comments:
Thanks for this great post! The combination of AOP and declarative rules for configurable ACLs is exactly what I am currently looking for. I just had a look at your project at code.google and I am wondering, what the actual status is since there has been no activity for the last year? Did you stop working on it because you found another framework with similar functionality or because it was good enough for your purposes?
I've stopped because I got busy with other things. I haven't seem anything like this elsewhere. If you're interested in actually using it, let me know what else you'd need and I can add it in.
Hello Vadim,
this is really a great project. I only have a couple of questions. First, in your description of Acl class you wrote that it is an object level permission with each AclEntry representing field level permission, but you use the same Object instance in this class as in AclEntry. Could you please explain the reason behind it? Also, I was wondering if it is possible to implement Secure interface so that it will check the security logic directly to annotated methods and throw an exception (maybe like AccessDeniedException of Spring Security, just to proper to other security inside the application), instead of hard-coding it in the classes by requesting isGranted() method everytime?
Thank you in advance!
My email is izdau@hotmail.com
Post a Comment