Tips for writing security classes for user authentication and authorisation

Question

I have a bunch of objects in my application (Organisations, Individuals, Orders, etC) and I need a nice clean way to decide which users can and can't view/edit these objects. User have a range of permissions such as 'Can edit own contacts' and 'Can view team's contacts' and can also be members of groups such as 'Account Manager' so various things need to be checked (Is this user an account manager? Is this contact managed by this users team? Can this user edit his teams contacts?) before it can be decided if they have access to the object.

Previously most of the logic was inline but as it becomes more complex I've decided that it's best to move it out to new classes such as OrganisationSecurity, OrderSecurity, etc and creating methods such as CanEdit on them.

Is this the correct way to go? Any gotchas I should be careful of? How do you handle this?

Thanks

Answer 1

Check out Security Patterns, especially in the areas about authentication and authorization.

Answer 2

Make sure it is not "overdesigned", and carefully consider why you need to block access and how much you trust the user of your objects.

You can consider to write an aspect to block/allow access to certain methods: http://en.wikipedia.org/wiki/Aspect-oriented_programming

At my company we tried Acegi (on a Java project) but found it to be too heavy weight/overdesigned for our needs. Maybe it's a better fit to your case: http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html

Answer 3

Google for the term entitlements management and XACML. This will get you pointed in a better direction.