Authorization
From Giews
After being authenticated, there is the authorization. Your authorization profile tells what functions of the application you are allowed to use and might tell what data you can see and/or manipulate.
Two authorisation types are important for Giews:
- Function level
- Data level
Function level authorisation tells what functions the user can use of the application. Data level authorization tells what data can be seen or manipulated.
In order to follow the design principle 'separation of concerns', the core application and data should know nothing or as less as possible of authorization. With function level authorization it is relatively simple to follow this principle. With data level it is more complicated.
Contents |
[edit] Options technology course grained
- LDAP
- ACEGI with the subsequent options LDAP of RDBMS as persistence.
[edit] Options technology fine grained
- LDAP for function level
- LDAP for data level
- ACEGI for function level
- ACEGI for data level
Next the question is will Giews only consider users and authorizations or will Giews also distinguish groups?
[edit] Options functionally
- Users and authorizations
- Users, groups and authorizations
[edit] Decision
Acegi
[edit] Argumentation
LDAP is born years ago while relational databases where not fast. Almost all LDAP implementations do use a hierarchical database, which are very fast. Nowadays relational database are fast. LDAP is also used because it is famous for serving a lot of request while still being performant. With GWS we are not expecting 10000 requests per second. And therefore GWS can use a relational database to implement authentication and authorisation. It safes the project as well from a knowledge investment into LDAP. Though an investment is needed in ACEGI. ACEGI is in nature following the same concepts as Spring. Investing in knowledge of Spring is easing the use of ACEGI.
