...
There are many different ways of doing authorization with Ceptor - ranging from simple role-based authorization checking in the Ceptor Gateway before a request is allowed to continue over centrally configured attribute based checking to complete custom scripts which can implement any kind of checking they wish based upon the available information about the user, his roles, the resource he is attempting to access, and the data he is accessing it with.
...
- Authorization checking can be done before the application is called, e.g. by the Ceptor Gateway
- It can also be done within an application server, before the application logic is called - see Application Server Integrations - decisions might be based upon deployment descriptors, policies etc. depending on what application server is used and what level of authorization it offers.
- It can also be done inside the application either by a filter (e.g. Servlet Filter) which intercepts the call before the application logic is invoked, or it can be done inside the application by specifically doing access checking.
- When done by the application, it can be via standard techniques like
HttpServletRequest.isUserInRole(),Principal.isInRole()etc. where Application Server Integrations is used. - ... or it can be done by calling the Ceptor Agent API directly, e.g.
Agent.getInstance().isMemberOfGroup(),Agent.getInstance().isURLAllowed()orAgent.getInstance.checkPermission()
- When done by the application, it can be via standard techniques like
RBAC (Role-Based Access Control)
Role-based access control is the concept where a user has zero or many roles attached to him. Resources are protected by roles, and if the user has one of the require roles, access is allowed, otherwise access is denied to the given resource.
...