Hi all, I am currently using the EJB Application server Webloigc. I am also
grappling with the issue of trying to design a centralised Authorisation,
Access Control system that can encompass both server side (EJB's) and client
sides of our system. However, it seems to me that (under weblogic at least)
access controls are decided primary at deployment time (via deployment
descriptor well at least assigning "groups/roles etc to EJB's")
What I would like to do is have a system whereby I can administer
user-role-permissions that can be dynamically applied across both my EJB's
and client architectures.
I have read the paper by Yoder but I am trying to resolve is such a design
can be achieved using the current JDK 1.1 security API (mainly a bunch of
interfaces).
My other concerns are:
the new nature of the JDK1.2 security model versus JDK1.1;
that is Sun are currently working on the JAAS spec which deals
primarily with this sort of issue;
How to reconcile conflicting or multiple Roles/permissions for a
user;
Flexible administration of the acl system;
I am currently reading all the doco on the security implementation in
Weblogic to see if i can "extend" this model across to the client.
Because Weblogic is basically a Java 1.1 platform product I am hesistant to
mix java1.1 and java2 (when dealing with security API's etc).
any comments/help/debate on this subject greatly appreciated.
Rob Masters
Sun Certified Java Programmer
Comcare Australia
(w) 02 6275 0632
(f) 02 657 4045
[EMAIL PROTECTED]
http://www.comcare.gov.au
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff EJB-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
