Ok, then does it make sense to rely on JAAS for all of the security aspects
of a system, or is the technology not mature enough yet?
Specifically can it be used to limit access to methods or individual
resources (such as a file or a database record marked with some identifier)
based on a single user login point? Or will the application have to
maintain some extra login state to achieve this level of security?
--jason
On Wed, 23 May 2001, Scott M Stark wrote:
> Reliance on static files is not a requirement; its simply the default mode. In
> the JBossSX codebase is an example custom javax.security.auth.Policy
> implementation that obtains permission info from a IAppPolicyStore which
> could be a database, ldap server, etc. The prototype uses an xml file.
>
> JNDI cannot be secured via JAAS currently simply because it does not
> make any permission checks. A future version of jnp will support secured
> access via subject based permissions.
>
> ----- Original Message -----
> From: "Jason Dillon" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, May 22, 2001 6:13 PM
> Subject: [JBoss-user] JAAS & JBossSX vs Application Security
>
>
> > Hello, I am trying to figure out what the *best* approach is for adding
> > robust security to a highly distributed JMX/EJB/JMS application. I have
> > just looked over the docs about JAAS as well as the JBossSX guide and I
> > still do not have a good feel for what is the correct approach for what I
> > am trying to do.
> >
> > JAAS looks like it follows the basic Java 2 security model, which relies on a
> > static file to list who has access to what, which seems a little odd since
> > in most cases the 'who' is probably listed somewhere in a database, so I am
> > a little confused by there examples.
> >
> > Currently we perform the authentication ourselves, via an ejb call that
> > returns a session bean that represents what that user can do. This has some
> > obvious issues, like if the user just tried to lookup an object which they
> > are not supposed to directly instead of going through the gateway.
> >
> > It looks like JAAS/JBossSX might solve, this forcing the user to login
> > first, but it is unclear how that would solve all of the access problems
> > that might occur.
> >
> > Say User A created a file "user_a_private_stuff" via the FileManager bean,
> > how would I prevent User B from logging in, creating a FM bean then reading
> > that file?
> >
> > Can the security framework be used to replace most (if not all) other
> > aspects of security, such as forcing users through a gateway "access
> > manager" bean?
> >
> > Can it be used to grant/limit access to fine grained resources based on
> > principal or credentials retrieved from a database lookup (via an entity
> > bean)?
> >
> > Is there any way to limit access via JNDI by this method?
> >
> > Does anyone know of any detailed documentation/examples of non-trivial
> > security implementations (like users with a set of permissions, application
> > code that can check for a given permission or set of permissions as well as
> > the identity of a user before executing an action, and storing all of that
> > information in a database).
> >
> > Or perhaps there is a way to use session beans similar to a servlet session
> > to store this data... I just don't know. =(
> >
> > Any help would be appreciated.
> >
> > --jason
> >
> >
> > _______________________________________________
> > JBoss-user mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/jboss-user
> >
>
>
> _______________________________________________
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
>
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
