Modifying Neo4j?s Object Graph Mapper Queries for Access Control
Sprache des Vortragstitels:
The 24th International Conference on Information Integration and Web Intelligence
Sprache des Tagungstitel:
A web application without access control is hardly usable. At the same time, we want to avoid boilerplate and use frameworks automating the communication between applications and databases. However, if we use the full potential of the mapper frameworks, the possibilities for access control are getting limited. Consequently, a trade-off between code complexity and mapper functionality must be found. In this work, we use object-graph mappers and at the same time avoid code duplication and entity-type-specific access control implementations. We do so by intercepting and changing the communication between our application code and the mapper framework so it generates queries already containing access-control filters. Thereby, we achieve authorization already on database access. With this approach only entities authorized for the currently active user are loaded, reducing the risk of data leaks. Furthermore, the developers are not required to implement access control on a per-entity-type basis.