I'm working on a jboss security interceptor that uses a delegation model along
with a custom JAAS policy provider so that one can write security rules indepdendent
of the business logic. The delegation layer is one that implements the public interface
of the bean it is securing and then delegates the call to the business object is the
required permissions exist. For example,
class SecureAccountBean
{
AccountBean delegate;
...
public void saveAccount()
{
String acountID = ...;
Permission p = new AccountPermission(accountID, "save");
AccessController.checkPermission(p);
delegate.saveAccount();
}
...
}
As for references/books, I only know of the JAAS docs and the Inside Java2 Platform
Security.
Security in EJB is only role based and there is no api for integration with legacy
security
systems. Security in both the EJB and J2EE specs is vague and mostly left as an
implementation detail. In the latest J2EE 1.3PFD JAAS is a required api, but the
security
discussion there is still quite vague.
----- Original Message -----
From: "Alexander Klyubin" <[EMAIL PROTECTED]>
To: "Jboss-User" <[EMAIL PROTECTED]>
Sent: Wednesday, January 17, 2001 9:56 AM
Subject: [jBoss-User] Externalizing security settings
> Hi!
>
> Beans usually have custom security business requirements -- not only purely
> role-based ones.
> A simple example is that only the owner of account can modify it (Admin
> also).
>
> Can anyone offer a good solution or at least the direction where I should go
> in order to externalize there security business rules to some extent. My
> goal is:
> * Each role has a set of permissions assigned to it.
> * Role-Permissions assignments can be modified at runtime by Administrator
> role
> * Security checks inside beans' methods are based on permissions associated
> with caller's Principal
>
> I would like to have my business methods look like this:
>
> AccountBean.java ...
> public void saveAccount()
> {
> ...
>
> principal = getCallerPrincipal()
> ..
> Security.isAccountWriteable(principal, roleListTakenFromContext,
> thisAccount's ID or whatever information needed);
> ...
> }
>
> Link to good resources and books appreciated.
>
> Alexander Klyubin
>
>
>
> --
> --------------------------------------------------------------
> To subscribe: [EMAIL PROTECTED]
> To unsubscribe: [EMAIL PROTECTED]
> List Help?: [EMAIL PROTECTED]
>
>
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
List Help?: [EMAIL PROTECTED]
