Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Instrumentation to hide denied actions for authorization engines

IP.com Disclosure Number: IPCOM000238644D
Publication Date: 2014-Sep-09
Document File: 2 page(s) / 26K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is an invention to automatically instrument server-side code pages (such as JSP, ASPX, PHP, and so on) to facilitate fine-grained authorization by an authorization framework.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 74% of the total text.

Page 01 of 2

Instrumentation to hide denied actions for authorization engines

Background

Authorization engines, such as Security Policy Manager, can specify access permissions for HTML files or parts of those files. So could regular JSP, when using roles. When users do not have the permission to do something, good UI practice is to avoid showing them that option. At

present, that is typically done by manually editing the JSP (adding the lines that are preceded by three dashes (---)).

For example, in this fragment, the second option will only be displayed if the user is a member of the manager role.

Select what to do


Submit an expense report
---
Approve expense reports
---

Alternatively, this could be done using the SPM tag library. Here, the requirement is for the user to have permission to approve on the resource expense_report.

Select what to do


Submit an expense report
---

Approve expense reports
---

The Invention


1. Create a new action is SPM called accessJSP (for example).

2. For every JSP page in the application, create a resource for that action whose name is based on the JSP (possibly modified to maintain character restrictions).

3. Enclose the content of every JSP page in SPM tags that restrict access to users authorized to use it (adding the lines that are preceded by three dashes (---)).

---

--- <tspm:context id="accessJSPctx serviceId="

" />
--- <tspm:authorize action="accessJSP" resourceId="

" contextId="accessJSPctx">

The original HTML goes here

1


Page 02 of 2

---


4....