Pessimistic Security - How To?

cdkisa posted on Wednesday, January 14, 2009

Hi,

I've been asked to see if anyone has implemented a pessimistic security model using CSLA. This would mean, by default, no user is allowed to perform any action on any object unless explicity granted permission to do so.

If you have done this or are trying to do this, any help on how to get started would be appreciated. I would rather not modify the CSLA Framework, but would rather implement it as my own custom security.

However, if the only way to implement a pessimistic model is to modify the framework, then I guess I'll have to.

Thanks,
cdkisa

ajj3085 replied on Wednesday, January 14, 2009

Hmm... well as soon as you call AllowWrite, AllowRead, etc. everyone else is denied.  Of course that assumes you have roles that can do those things, which seems to be fine.  It's hard to imagine an object that you haven't specified any Allow permissions on yet no one can read or write properties... you'd have a class that nobody could use!

RockfordLhotka replied on Wednesday, January 14, 2009

As Andy said, the CSLA authz model is pessimistic - assuming you have at least one role required to access each object and/or property. So it probably does exactly what you want already - you just need to associate roles with each object and/or property to specify which users ARE allowed to use the objects.