December 02, 2006
Levels of authorization in web applications
Most of the applications I've built in the past have only 2 levels of authorization:
(1) You're logged in and have access to various functions according to your "group" or "access" memberships
(2) You're not logged in, and therefore have access to nothing.
My latest project would benefit from having some functions available to everyone - even those unauthenticated. It is basically an item-selection service; certain items are offered by certain bodies, and these items are not secret and in fact would be great if they were publicly-available. The only part that needs to be protected is for a given user to be able to modify their own item-selections (and also protect what those item-selections *are*). The items are sufficiently complex that navigation through them could be made as a stand-alone application, even without any functionality for "picking" them.
(Note: In the description above, I had previously worded "item" as "service" but then made the change because I didn't want to cause confusion with my earlier notes about WSDL.)
I was thinking about a Servlet's objects -- maybe some are static to the Servlet class, and others vary per HTTP request -- and also about how these relate to a user's session variables and also the values that can be attached to any HTTP request. Some of the business logic -- the public stuff -- is available as a static attribute of my Servlet, where all users can refer to the same "copy" of the item being offered, thereby allowing the system to be aware of how many people want a particular object via memory references. No database query needed; the system just "knows".
I guess pretty much all domain objects live at the servlet level except for a user's individual navigational and usage objects; even these may ultimately refer to their platonic ideal "singular" within the Servlet.
What -are- session variables supposed to be used for, anyway? Navigational cues? Application-data that is reflected in the back-end database? I've always assumed that the session variables should be "the stuff that the user is working on and manipulating right now" but I am such a newbie I could be wrong and not even know it!
And, on top of all of this, I have people telling me that I am wasting my time thinking about object-modelling and that I should only care if the program works or not. The attitude is like, "the more stuff you build, the more familliar you get with the tools and the faster you can build more stuff." Then, I was mildly insulted when my co-worker insinuated that because academics aren't charged with "building stuff" that they can't possibly learn the best way to do so, and therefore no worthwhile learning can occur in a non-industrial setting. Uragh!
Personally, I have found that having domain knowledge as actualized objects-in-memory is necessary for intelligent rationalization (for example: arranging the objects in a graph and then performing a shortest-paths traversal on it), as opposed to a no-modelling approach of merely brute-force querying a database each time object-data is needed.
'Apologies for the rant. I considered deleting it, but, meh. I am a human and am entitled to my bouts of irrational emotional turmoil.
UPDATE: I found a related design pattern - Core J2EE Patterns - Intercepting Filter. I like this pattern because some of my clients are asking for the system to authenticate against an LDAP directory, while other clients want the system to authenticate against an internal database where the password is stored as a field in one of the tables. This design pattern will allow me to write the components for both, then I can just plug/unplug each filter according to what the client wants. I wonder if I can eventually apply different combinations of these filters to different parts of the system. Then, with no fileter, users can browse around the "free" stuff that does not require authentication. As they go deeper into the system, extra authentication filters can be added. I guess. Maybe. Meh.
Post a comment
Index to Steph's NotesFeb. 24th 2007 - Weee! This new part of my website is not an entry, but rather a permanent fixture whose purpose is to "Look Down on All Those Notes With Some Grand Vision of Organization". Wish me luck. LOL
- Representing meta-data (fuel) & the different kinds of "hooks" that intelligent systems can use (how fuel is injected into the motor of the engine)
- Motivation: Semantic net / Rationalizable to a machine
- Semantic network
- Genetic graph
- Prerequisite AND/OR graph
- Constraint Satisfaction Problems
- Bayesian networks / causal graphs
- Technology & Philosophy: RDF, modus ponens,
- Predicates, Logic & situation calculus
- What kinds of data? - What kinds of meta-data would an AIEd system possibly need, and how is it represented?
- task domain knowledge
- "is-prerequisite-to"-type knowledge
- interactions with learning objects & other learners - (location, composition is-a/part-of, sequencing by restricting navigation, personalization, ontologies for LO context)
- lesson plans, curriculum plans, practicing sessions (What is stored, what is generated on the fly? What is remembered?)
- How to organize it - When is it stored in a database? Meta-data? Agent memory banks? Protocols? Repositories? XML files? Home-servers? WSDL services? Frameworks? Portable banks? P2P access?
- Database of object-agent interactions
- Concept of "Home" on a P2P network -- maybe the bulk of a learning object's usage data is on its home server and can be queried using WSDL or something ? Similar homes for each student's usage history, etc. Baggage problem.
- Links to the ontologies
- referring to a concept/relationship - ex. AgentOwl?
- Generation of this data
- Rationalization: For use by other AIEd systems
- What is generated - discuss items under part I.C.
- When it's generated - describe procedural model, which parts of the engine generate what (isa-part-of data, XML feeds, web services, meta data bout groups and collaboration, protocols, examples Friend of A Friend FOAF project)
- Technical notes of HOW it's generated: JENA, issues of implementation demo, my Hermione & Ron agent examples, lol
- Usage of this generated data - see part IV. A.
- Given the engine, who uses it?
- Students / Learners / "Me"
- instructional planning, student model, pre-requisites, tutoring, coaching, collaboration,constructivism
- Teachers / Educators / "Me"
- putting together lessons
- be able to browse through task domain knowledge in an objective / encyclopaedia format, then be able to pick-and-choose what you need for your students
- compose examples, design explanations, pull together diagrams, learning objects, etc. Haystack Relo?
- Administration / Governement / Structure / Crowd Control
- as restrictions/obstacles/sand pit to the robot in agent environment
- can't just have a swarm of students and teachers out there -- need structure of courses, curriculum, objectives, requirements (at least, we do in this day and age!) - Report cards, evaluation, feedback
- government, marks, certificates, requirements, funding, curriclum, attendance, delinquent, non-attending, motivation
- school''s images, goals, strengths, payroll, HR, security, accounts, permissions, privacy
- registration, failed courses
- User Environment -- How does this engine work? What does the user see on the screen?
- Introduction - Given a background in educational psychology, how does the system present itself -- what does the user see, and were does this data come from? Links to thoughts from part I.)
- Task Domain Browsing - Suppose you're you're just idly browsing through the "raw" content. How would it look when it's not wrapped around a learning-context or lesson or tutorial or anything. 'Cross between browsing a raw task domain ontology and browsing a learning object repository.
- Cleaning up the data -- Visualizing the data for humans to pick through the task domain and work on it. Suppose the "Subject Expert" discovers an advancement in science and needs to update the "world's" domain knowledge. (I used the "Subject Expert" terminology from Ontologies to Support Learning Design Context - Thanks Chris) How would they make corrections to ontologies and learning objects, or at least point the users of "old" objects towards adopting the newer ones.
- "Modes" - Learning & Lessons / Checklist - Homework, Assignments, Courses being taken / Collaborative mode / Teaching mode / Calendar- email -adminisrative mode -- See also the different kinds of scenarios in the ActiveMath system
- Evolution of this engine
- target some key implementation hooks discussed in part I - design an experiment/demo
- scrape a page - (Note, scraping can only give objective data, not in-context dat)
- LO repository - related to browsing the task domain?
- a learners "To Do" list - where does it come from? Assignments, courses.
- sample group scenario
- sample teacher lesson planning
- sample data "left behind"
- sample use of that data
- Data mining (for what? lol )
- discovery / generation of ontologies - when do you need to hunt for them, and when do you have to have a solidly-known & predictable ontology?
- I/O - where it happens, which languages, protocols, which agents perform i/o and when, precepts, actuators
- Role Assignments
- My Environment Adapts to me
- Displaying feedback from the server on JSP pages (Software engineering considerations)
- Sketching out a design (Content planning vs. Delivery planning)
- agent negotiations / social structures / ummm... Web 2.0 ?
- garbage collection of meta data
- Artificial Intelligence & Evolution
- Memory Culling: Necessary part of intelligence? (artificial or human)
- Applications for the Genetic/Evolutionary algorithm
- open learning environments
- Agents, pets, grouping, Community modelling
- Protocols - finding groups, cyber dollars, state diagrams (?)
- "Community Studies" - graphs & communication hubs, types of communities (free-for-all, hierarchy of authority, etc.)
- implications of joining a community - what do you share, which parts of your student model are relevant
- Walls & sand traps -- deliberate restrictions as problem-solving for learning
- Communication channels - individual-to-individual, individual-to-community, chat channels, agent-only "administrative" communications, ex. requests for related learning objects in a particular community, etc.
- Educational/Pedagogical focus (this part probably shouldn't be its own section but rather incorporated into the whole picture, but it's separate for me right now because I'm still only just starting to learn about it.)
- Semantics - what there is to talk about in Education
- ex. Merril's First Principles of Instruction, linking educational terms to AI terms
- Pedagogical skills for tutors -- supporting human *and* artifical tutors
- Student modelling - what the machine needs to know about the student, pedagogically-speaking, about learning history/preferences
- Roles - Simulated students, Coaches, Tutors, Teachers,