Geek Answers Handbook

Flagging vs Authorization Function

I just stumbled on the concept of feature markers and the popular open source Java version for this called Togglz , which quotes Martin Fowler's blog post:

The basic idea is to have a configuration file that defines a set of radio buttons for the various functions that you expect. The running application then uses these switches to decide whether or not to show the new feature.

But for me it really sounds like authorization : is the user allowed to view this content?

For example, should the user see the FizzBuzz menu or not?

In Togglz, I can do this check like this:

if(MyFeatures.ShowFizzBuzz.isActive()) { // Show the FizzBuzz menu. }

In, say, Apache Shiro, I could do the same:

 ShowFizzBuzzPermission showFizzBuzz = new ShowFizzBuzzPermission(); if(currentUser.isPermitted(showFizzBuzz) { // Show the FizzBuzz menu. }

Again, tagging a function just looks like the exact same problem as role checking or validation.

I'm sure I'm wrong, but I don’t understand how to do this. So I ask: how does the flag function differ from authorization, role / permission checking, and what types of specific use cases illustrate this difference? In other words: When should I use authorization / role / permission checking and when should function flags be used?

+8
java security authorization featuretoggle togglz
source share
3 answers

I'm going to use Mr. Fowler terminology for two types of function switches:

  • Business Toggle: there will be functions that are a long-lived configuration where all states are supported.
  • Release Toggle: Intended for the transition from the old or nonexistent implementation to the "new". The purpose of this is to resign according to the old way of working when work is done. This allows you, when you want to keep the current mode of operation, until the "new" path is completed. Most people agree that they should be avoided whenever possible.

How is a feature different from authorization and role / permission verification marked, and what types of case studies illustrate this difference?

I think that authorization and role / rights checking is a configuration under the implementation of Business Toggle. Authentication is a Business Toggle feature, Shiro will be a tool to help you configure and apply the authentication feature. Togglz is the basis for implementing "Toggle to Toggle" or "Version Toggles". It can be used for authentication function.

If you used Togglz to enable / disable authentication, and then Shiro to provide custom configuration, your code would look like this:

 if(MyFeatures.ShowFizzBuzz.isActive()) { ShowFizzBuzzPermission showFizzBuzz = new ShowFizzBuzzPermission(); if(currentUser.isPermitted(showFizzBuzz) { // Show the FizzBuzz menu. } }

You can opt out of the Toggle function because you always want authentication to be enabled. The switch simply introduces additional verification and technical debt.

When should I use authorization / role / permission checking and when should I use function flags?

I think this decision is up to you. I would say that authorization is a feature, and you can use Shiro to implement it. Your application may have many other features that go beyond Shiro and make you want to use Togglz to turn them on and off. I maintain that any complex function still requires configuration to manage your business logic.

+2
source share

I will not be responsible for the Togtz logic. In the FF4J documentation (flipping function for Java), you can find a crooked diagram that explains the difference.

Toggle vs Authorization Function

A function is processing, a function that can be turned on and off at runtime through a dedicated web console. This should be the main driver for switching your code: do I need to activate / deactivate the configuration?

Once you define a function switching mechanism , you will have a lot of importance (you can choose a use case at the bottom of the ff4J.org page), you can check the permissions.

Checking permissions in the context of the Toggle function is designed to perform " Canary Release ": open a new function for a limited subset of users before opening it to everyone.

+1
source share

toggle has nothing to do with users, all about features for all that are included or not.

It allows you to develop new functions, test them, send them to production without activation (see continuous integration, continuous delivery). One of the interesting questions is to integrate the new code as early as possible and avoid working in the process in order to be visible from production.

0
source share

More articles:


All Articles