Re: [aspectj-dev] AOP and security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [aspectj-dev] AOP and security

From: Kev Jackson <kevin.jackson@xxxxxxxxxxxxx>
Date: Thu, 17 Feb 2005 10:44:58 +0700
Delivered-to: aspectj-dev@xxxxxxxxxxx
List-archive: <http://dev.eclipse.org/pipermail/aspectj-dev/>
List-help: <mailto:aspectj-dev-request@eclipse.org?subject=help>
List-subscribe: <http://dev.eclipse.org/mailman/listinfo/aspectj-dev>, <mailto:aspectj-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <http://dev.eclipse.org/mailman/listinfo/aspectj-dev>, <mailto:aspectj-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Mozilla Thunderbird 1.0RC1 (Windows/20041201)

Wow!!Chandu's mail wrote:

Hi All,
I am very new to this group and signed in to learn about AOP. Myquestions to all of you are:1. What is a security problem and how will AOP solve it?

Within an application (take any 'enterprise application') there willprobably be a need for Authentication (who are you?) and/orAuthorization (are you allowed to do that?). Traditional OOP tacklesthis by placing a call to the authentication/authorization code everytime a user attempts to do something eg:


class {

public secureMethod(int x, Object y, User z) throwsNotAuthenticatedException {

      if (User.isAuthenticated()) { //<- security code
         //do stuff
         //business logic
         //
      } else {
         throw new NotAuthenticatedException();
      }
   }

}

As you can see the security code is interleaved within the businesslogic. Imagine haveing 40+, 400+, 4000+ methods where you have tomaintain essentially the same behaviour. As the number of securemethods increases, so does the amount of duplicate code (bad) and theamount of maintenance.


AOP solves this:
class {

public secureMethod(int x, Object y, User z) throwsNotAuthenticatedException {

         //do stuff
         //business logic
   }
}


aspect {
   pointcut secureMethod(..) : call (com.company.secure.*+.*(..))

   before() : secureMethod() {
      if(User.isAuthenticated()) {

      }
   }
}

Here the aspect will insert the security code before every secureMethodwithout extra maintenance. That's a big win. Also the code is easierto read and more understandable as it is focused on the business logic,not business logic + security.

I've actually used AspectJ+JAAS+Servlets to achieve a single-sign-onwith Kerebos, it's freakishly good.

2. Can we use AOP to detect the faults in source code?

Yes, some of the first aspects in the dev/prog guide are to do withdevelopment

3. Is there a way to test the applications using AOP?

Not sure what you mean, but I did read an article where the author usedAOP to test a Struts webapp - looked a little wierd but it worked.

Kev

References:
- [aspectj-dev] AOP and security
  - From: Wow!!Chandu's mail

Prev by Date: [aspectj-dev] AOP and security
Next by Date: Re: [aspectj-dev] DocBook pdf gen ant task for devguide, adk15guide
Previous by thread: [aspectj-dev] AOP and security
Next by thread: SV: [aspectj-dev] AOP and security
Index(es):
- Date
- Thread

Breadcrumbs