RE: [jBoss-User] Externalizing security settings

Wed, 17 Jan 2001 14:18:17 -0800

Title: RE: [jBoss-User] Externalizing security settings

That's portable wherever there's JAAS, isn't it?

Tom Cook
Systems Development
Australian Submarine Corporation
Mersey Road
Outer Harbour

+61 8 8348 7645

"From the instant I picked your book up, until the moment I put it down, I was convulsed with laughter.  I fully intend to read it one day."

        - Groucho Marx

    -----Original Message-----
    From:   Oleg Nitz [SMTP:[EMAIL PROTECTED]]
    Sent:   Thursday, January 18, 2001 3:49 AM
    To:     jBoss
    Subject:        Re: [jBoss-User] Externalizing security settings

    Hi Alexander,

    I cannot point out links that you seek for, but I have one thought on
    this topic.
    You may have your own Principal implementation (of course, for that
    you should implement your own server LoginModule).
    The Principal implementation can contain additional data and methods
    used for authorization. I mean that your code could look like

    public void saveAccount()
    {
            MyPrincipal principal;
            ...
            principal = (MyPrincipal) _context.getCallerPrincipal()
            ..
            principal.isAccountWriteable(thisAccount's ID);
            ...
    }

    I am not saying that this approach is good or recommended by
    EJB authorities, and I doubt if it is portable,
    but it is the best one that I can think out.

    Regards,
     Oleg


    Alexander Klyubin wrote:
    > Hi!

    > Beans usually have custom security business requirements -- not only purely
    > role-based ones.
    > A simple example is that only the owner of account can modify it (Admin
    > also).

    > Can anyone offer a good solution or at least the direction where I should go
    > in order to externalize there security business rules to some extent. My
    > goal is:
    > * Each role has a set of permissions assigned to it.
    > * Role-Permissions assignments can be modified at runtime by Administrator
    > role
    > * Security checks inside beans' methods are based on permissions associated
    > with caller's Principal

    > I would like to have my business methods look like this:

    > AccountBean.java ...
    > public void saveAccount()
    > {
    >         ...

    >         principal = getCallerPrincipal()
    >         ..
    >         Security.isAccountWriteable(principal, roleListTakenFromContext,
    > thisAccount's ID or whatever information needed);
    >         ...
    > }

    > Link to good resources and books appreciated.

    > Alexander Klyubin



    > --
    > --------------------------------------------------------------
    > To subscribe:        [EMAIL PROTECTED]
    > To unsubscribe:      [EMAIL PROTECTED]
    > List Help?:          [EMAIL PROTECTED]




    --
    --------------------------------------------------------------
    To subscribe:        [EMAIL PROTECTED]
    To unsubscribe:      [EMAIL PROTECTED]
    List Help?:          [EMAIL PROTECTED]

Reply via email to