Hi,
I'm hoping to get some feedback from the JBoss crew on
how folks are implementing fine-grained security
access on their application objects. I understand how
to use JAAS and EJB security to provide coarse grained
security (For instance, making the call the the
removeUser() method in a SessionBean be mapped to the
"admin" role), but I'm wondering how folks are
implementing security on a per-object basis, or state
dependent basis. For instance, Let's say you have a
Document EJB with a content field. You have a method
editContent(String newContent), that you want to
restrict to owners/editors of that particular document
EJB. How are folks implementing security access like
this?
One way I have thought of, using JBOSS+JAAS would be
to create a role:
"DOCUMENT_EDITOR.<document-id>" for every document
object. So, if a user created a new Document EJB, with
an id of 456, I would enter a role:
"DOCUMENT_EDITOR.456" into the roles table and map it
to that user's Principal object. Then in the Document
EJB editContent() method I would have:
public void editContent(String newContent){
long id = getId(); //get the id for this bean
String requiredRole = "DOCUMENT_EDITOR."+id;
if(ejbContext.isCallerInRole(requiredRole)){
//allow the edit...
}
else{
//throw some access exception here...
}
}
What do folks think of this approach? Any other
ideas/implementations? Are there any standard j2ee
access-control api's out there that I'm not aware of?
I'd like to get some feedback on this before I commit
to an implementation, so if anybody has any other
ideas, links to docs, etc, I'd appreciate it.
Thanks!
--Joel
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
