Best practices question about authorization/technique for calling “core” business entities
 
Forums / SmartComponent Library - Developer Forum / Best practices question about authorization/technique for calling “core” business entities

Best practices question about authorization/technique for calling “core” business entities

9 posts, 1 answered
  1. Patrik Wikström
    Patrik Wikström avatar
    70 posts
    Registered:
    15 Oct 2018
    Answered
    04 Jan 2019
    Link to this post
    Hi!

    We have an own class implementation for example for the RestServerSessionActivator and we are using some business entities in that class using their DatasetModels. Is there a good way to restrict access to these business entities from the “outside world” and only allow them to be called from these kinds of core functionality? Calling business entities directly would be one way but one really prefers the DatasetModel way of accessing the business entities. The problem is to identify when the call comes from the “outside world” or use some kind of flag/parameter etc. when calling the business entities from the core functionalities?
  2. Mike Fechner
    Mike Fechner avatar
    342 posts
    Registered:
    14 Sep 2016
    04 Jan 2019 in reply to Patrik Wikström
    Link to this post
    What exactly do you mean with the "outside" world?
  3. Patrik Wikström
    Patrik Wikström avatar
    70 posts
    Registered:
    15 Oct 2018
    04 Jan 2019 in reply to Mike Fechner
    Link to this post
    Direct calls to the webhandlers on the PAS.
  4. Mike Fechner
    Mike Fechner avatar
    342 posts
    Registered:
    14 Sep 2016
    04 Jan 2019 in reply to Patrik Wikström
    Link to this post
    Are you using our Authorization tables (security assignment) in the SmartDB?
  5. Patrik Wikström
    Patrik Wikström avatar
    70 posts
    Registered:
    15 Oct 2018
    04 Jan 2019 in reply to Mike Fechner
    Link to this post
    No, we use our own checks (...RequestAuthorizationProvider IMPLEMENTS IRequestAuthorizationProvider).
  6. Mike Fechner
    Mike Fechner avatar
    342 posts
    Registered:
    14 Sep 2016
    04 Jan 2019 in reply to Patrik Wikström
    Link to this post
    In that case you should implement your own variant of the 

    Consultingwerk.OERA.IDatasetModelUseInterfaceProvider. 

    You can look at our implementation 

    Consultingwerk.OERA.DatasetModelUseInterfaceProvider

    as a sample. That implementation tells the DatasetModel's to communicate directly with the Business Entities bypassing the Service Interface (UseInterfaceEnum:ServiceManager) when a SmartFramework business entity calls into a SmartFramework DatasetModel. 

    We are using custom variants for this service also in micro-service architectures or DDD implementations when calls within a set of packages do not require authorization checks but calls from outside do required authorization checks. 

    In your specific case, it might be sufficient to just always return UseInterfaceEnum:ServiceManager - as your "outside" calls are going through the ServiceInterface into a Business Service first. And all calls made from DatasetModel's can bypass the Service Interface and thus the security checks in the IRequestAuthorizationProvider.
  7. Patrik Wikström
    Patrik Wikström avatar
    70 posts
    Registered:
    15 Oct 2018
    04 Jan 2019 in reply to Mike Fechner
    Link to this post
    Ok, thanks! We'll look into that after upgrading our SCL version because noticed that we don't have those classes (Consultingwerk.OERA.IDatasetModelUseInterfaceProvider, Consultingwerk.OERA.DatasetModelUseInterfaceProvider) or Enum values (UseInterfaceEnum:ServiceManager) in the current version we are using.
  8. Mike Fechner
    Mike Fechner avatar
    342 posts
    Registered:
    14 Sep 2016
    04 Jan 2019 in reply to Patrik Wikström
    Link to this post
    This feature was released on March 19th 2018. 

    "DatasetModels now support a third UseInterface operating mode: via the ServiceManager

    In this mode, the DatasetModel's will obtain a reference to the Business Entity directly via the ServiceManager and will bypass the ServiceInterface that way. Performance will be slightly better as we're bypassing both the context handling in the ServiceInterface and the request authorization provider.

    The default value for every DatasetModel's UseInterface property is determined by the new Consultingwerk.OERA.IDatasetModelUseInterfaceProvider service (default implementation is DatasetModelUseInterfaceProvider). This class will decide to use the Service Manager, when the caller of the DatasetModel is from the same or a higher package as the DatasetModel and return the use previously in place logic based on the NUM-DBS's function else.

    This is in line with our current thinking about domain driven designs based on the SmartComponent Library backend. Customers implementing a DDD architecture and decide to allow direct access between business components within a module/silo/package may implement the rules when to use direct access and when to use the ServiceInterface in a custom implementation of the IDatasetModelUseInterfaceProvider service."
  9. Patrik Wikström
    Patrik Wikström avatar
    70 posts
    Registered:
    15 Oct 2018
    04 Jan 2019 in reply to Mike Fechner
    Link to this post
    It is really time for us to update SCL then! ;)
    Thanks again!
9 posts, 1 answered