PoNG Security

From EWIKI
Jump to navigation Jump to search

PoNG use a role based authorization model. A user may have several roles, but should act only with one role. The user is allowed to switch his role at any time to any other role, he is assigned to.

Programming model

Important: The server is responsible to authorize any request, because the client side can be manipulated too easily.

On the client side there is only assistance to render the portal page according the users role.

All roles assigned to the user are in the pageInfo["userRoles"] array. These roles array is a result of an successful authentication. The active role of the user is in the variable userRole. This makes it very easy to switch the role (e.g. from CRM-User to admin), and render only information for the active role (e.g. navigation bar items).


OAuth and SAML

How?