corporate » labs » forge
E29 Incorporated

Product Info
 Product Tag:
 Current Status: In Testing

Securing Serenity: Using Annotations for Security

July 22nd, 2008 by AdamKinder

I’ve been working on this feature for a couple of days now, using at first a miss-mash of Reflection class properties and loops.

Thankfully I came across this excellent library on Google Code, called Addendum that saved me the trouble of reinventing the wheel.

Serenity Summer Patch 3 will introduce the annotated role security layer to the platform. What this means for developers is that you can now fine tune your applications when you ship them, locking the application down by module using nothing more than a code comment and function call.

Serenity’s currently (unfinished) permission model relies on your standard permissions schema: Joe X has the administrator role in application Y, and it’s stored as a bit in the database.

Serenity’s new annotated role system takes it one step further. Instead of the application having the task of checking and loading bits itself, Serenity uses the code comments in your class file to determine security.

In a perfect world, your Serenity application would be split into modules, each being it’s own class file. With that in mind, the following example demonstrates how a certain module would restrict access, updating and deleting to the “admin” database role:

A list control module
/** @SecurityRole(access="admin",update="admin",delete="admin") */
class App implements serenity_application
{
public function view_lists()
{
/* ... */
}

public function update_list()
{
Serenity::security()->check_update_role();
/* … */
}

public function delete_list()
{
Serenity::security()->check_delete_role();
/* .. */
}
}?>

For each module class that you want protected, simply add the @SecurityRole() functional comment on the line before the class declaration and pass it the valid permissions for access, update, and delete.

For the access bit, you don’t need to call a function in the file. For each function that updates or deletes a piece of data, add the appropriate Serenity::security() call to check the bit before execution.

The system is being built to accommodate any number of bits, and to be extensible. Once Patch 3 is released, we’ll update our documentation with the Security system and how to use it properly.

E29 Lab Discussion: Where we make cool stuff and you critique it

Want to comment on this entry? Click here to access the Lab Discussion Board