I plan on posting my code here once I have finished, but I'd thought I'd list the requirements here, partly because it helps to make lists to sort through complex problems, and partly because I have nothing else to post here.
Security is an extremely hot topic at work, as I am sure it is at your place of business. We get audited all the time, and being defence contractors doesn't make it any easier. We have lots of rules around account activities, passwords, and group memberships. On top of that, when developing in the realm of the web app, we have further rules on cookies and sessions, among other things, that make life just that much harder for your average developer.
I am not going to go into minute detail, but the security model I am working with needs to fit into these parameters:
- Access must be controlled by user id and group membership in AD
- Application access must be multi-layered so that not all users have the same access (in such cases that it is required).
- Once an application is deployed, security maintenance must be kept to a minimum to reduce total cost of ownership.
The model that I keep returning to in my mind is something like this:
- Groups must be created in AD for each application and each access type, ie APP_Developers, or APP_Editors, or APP_Users.
- Each APEX app must use the same authentication scheme..
- At login, each app must validate the user against LDAP. Each app must maintain a table of the LDAP groups and the users in them for use in the authorization or sentry scheme.
- This all has to happen automatically. (ugh).
I do have the code for checking group membership (one group only) before logging into the app. So I know it can be done. Now I need to make it flexible, and incorporate more group checks.
I will post code shortly of what I've got, it's nothing you couldn't find elsewhere most likely, although I must admit I gave up looking a week or so ago.
Stay tuned...
No comments:
Post a Comment