I am pleased to say that with alpha five and my databases I have been able to implement Just In Time security on a website I am building. And it was quite easy too. Using no other tutorials, largely guess work of my own, this is what i've come up with.
Why I might do this has various reasons. I have mine which I'll keep to myself. (business confidentiality and all).
But an application of this is maybe to say: to allow users control only under certain circumstances. i.e - a regular forum user may have more abilities under certain subforms that he regulars than someone who has only posted a small handful of times. These maybe certain columns/buttons etc on a grid/navsystem with their own Alpha security groups.
Though my system is more complex than the following example, ( mine involves multiple databases with many to many relationships, mutiple scripts and functions) i thought i would at least share a simple version with forum-goers:
Say for instance there is a page which a grid needs to be filtered on certain fields according to who is logged on. And say that within that filter only certain columns and controls are visible to certain users.
You have already created some security groups in Alpha 5 to assign to people. i.e SuperUser, Administrator, GridEditor, GridAuditor, GeneralUser... etc
So you set the column's and any other control's security accordingly in the fields editor or which ever method you choose relevant to what you want to secure. (could be a hyperlink, another page.. whatever..)
Now take for instance someone who is a Administrator for one page, but you only want him to be a GeneralUser and a GridAuditor for this other page.
Naturally it seems necessary to store this information somewhere. (this is not how i did it at all, but i'm simplifying)
PageSecurty Database Column Requirements:
ulink (i.e a uuid)
page ( a link "magicsecuregrid.a5w")
groupstring (i.e "GridAuditor, GeneralUser")
before the page loads you are going to need a script of some sort to reassign security credentials to a user.
In this case I would personally use a go between page. (which could be used as a link to any page) But there are other ways.
So that when user clicks a link "magic secure grid page", it actually links to "gobetweenpage.a5w?redirectURL=magicsecuregrid.a5w"
and this "gobetweenpage.a5w" may look something like this.
The groupstring in a datbase is an rough, but i feel somewhat 'elegant', way to implement JIT security. This groupstring could be hardcoded, or build dynamically through screens by a site administrator. If you double up (i.e groupstring = "GridAuditor, GridAuditor, GeneralUser") it doesn't seem to matter.
This is not the most secure, nor complete example, but its a starting point for anyone curious about implementing their own Just In Time Security. There are many ways to do it (mine is quite different, but at least somewhat abstracted/deviated from this method)
i hope this little tutorial makes sense. I hope i didn't leave anything out of the code box! I know i'm a terrible writer!
Why I might do this has various reasons. I have mine which I'll keep to myself. (business confidentiality and all).
But an application of this is maybe to say: to allow users control only under certain circumstances. i.e - a regular forum user may have more abilities under certain subforms that he regulars than someone who has only posted a small handful of times. These maybe certain columns/buttons etc on a grid/navsystem with their own Alpha security groups.
Though my system is more complex than the following example, ( mine involves multiple databases with many to many relationships, mutiple scripts and functions) i thought i would at least share a simple version with forum-goers:
Say for instance there is a page which a grid needs to be filtered on certain fields according to who is logged on. And say that within that filter only certain columns and controls are visible to certain users.
You have already created some security groups in Alpha 5 to assign to people. i.e SuperUser, Administrator, GridEditor, GridAuditor, GeneralUser... etc
So you set the column's and any other control's security accordingly in the fields editor or which ever method you choose relevant to what you want to secure. (could be a hyperlink, another page.. whatever..)
Now take for instance someone who is a Administrator for one page, but you only want him to be a GeneralUser and a GridAuditor for this other page.
Naturally it seems necessary to store this information somewhere. (this is not how i did it at all, but i'm simplifying)
PageSecurty Database Column Requirements:
ulink (i.e a uuid)
page ( a link "magicsecuregrid.a5w")
groupstring (i.e "GridAuditor, GeneralUser")
before the page loads you are going to need a script of some sort to reassign security credentials to a user.
In this case I would personally use a go between page. (which could be used as a link to any page) But there are other ways.
So that when user clicks a link "magic secure grid page", it actually links to "gobetweenpage.a5w?redirectURL=magicsecuregrid.a5w"
and this "gobetweenpage.a5w" may look something like this.
Code:
<%a5 'Set up necessary variables dim MyConnection as SQL::Connection dim ConnectionString as C = "<insert connectionstring here>" dim MyArguments as SQL::Arguments dim rsSecurity as SQL::ResultSet 'Create the select statement for your database, heres an example with SQL Server selectSecurity = <<%str% SELECT groupstring FROM PageSecurity WHERE ulink=:whatuser AND page=:whatpage %str% 'Add your arguments getting the redirect variable passed to the page from the link MyArguments.Add("whatuser",session.__protected__ulink) MyArguments.Add("whatpage",redirectUrl) 'Connect and execute query MyConnection.Open(ConnectionString) MyConnection.Execute(selectSecurity,MyArguments) rsSecurity = MyConnection.ResultSet MyConnection.Close() 'Create variables needed to update users security credentials dim output as p dim output.controls as p dim output.controls.guid.value as c output.controls.guid.value = a5ws_get_guid_from_ulink(session.__protected__ulink) dim uservalues as p dim uservalues.guid as c = output.controls.guid.value dim uservalues.ulink as c = session.__protected__ulink dim uservalues.groups as c = rsSecurity.data("groupstring") a5ws_save_webuser_values(output,uservalues) 'logout and login user to refresh their credentials '**NB YOU WILL NEED TO ATTAIN THEIR PASSWORD AND USERID (for 'logon) 'EITHER FROM A DB OR GET THEM FROM THE A5 SYSTEM 'IM NOT INCLUDING THAT CODE HERE a5ws_logoutuser() a5ws_login_user([**USERID],[**PASSWORD]) 'Finally redirect to the right page response.redirect("magicsecuritygrid.a5w") %>
This is not the most secure, nor complete example, but its a starting point for anyone curious about implementing their own Just In Time Security. There are many ways to do it (mine is quite different, but at least somewhat abstracted/deviated from this method)
i hope this little tutorial makes sense. I hope i didn't leave anything out of the code box! I know i'm a terrible writer!
Comment