I am working on a
project that will allow a user to belong to one or more projects, with the user
being assigned one or more roles within the project. I want to be able to
declaritively secure areas of a webpage and EJB based on first the project, then
a role within the project. For example:
There exists
Projects 1 and 2 and the Users A and B. User A has a
role of member of Project 1 and a role of owner of Project 2. User B has a role
of member of Project 2. I wish to use container managed security so that from
the web tier I can do something like:
<security:check
project="1" role="member">
Some text and
link only for members
</security:check>
where this tag does
a check of some sort agains the UserPrincipal like
((MyMasterPrincipal)getUserPrincipal()).hasRole("1/member")) behind the scenes.
My first thought is to adjust the JAASSecurityManager or the appropriate
LoginModule to construct a master principal (MyMasterPrincipal) that
knows how to locate a nested principal/group for the project ("1"), and then
find a role within this group("member"). Since the user will also have a role
within the whole system of either a user or siteadmin, then I'll have another
context that allows me to do something like "system/user" or "system/siteadmin"
to protect various areas of a page. Note: I don't anticipate securing the URLs
on the web tier beyond the system role level, since I don't have context
information about the current request being processed to enable a smarter check
of a requested URL based on a project id unless I use a security filter and a
custom ACL file.
Along the same
lines, I wish to do something similiar with an EJB using declarative
roles. From the EJB side, I know I can do something custom with JBoss to
put in a new SecurityManager that extends JAASSecurityManager and knows how to
determine, based on the calling context, the project name currently being
operated on. Thus, when a user calls myProjectBean.createNewFoo("1","bar"), then
I can see if they have the admin role for project "1" before the EJB is invoked
using a security interceptor as described in chapter 7 of the online volunteer
docs.
So, my questions
are:
1. Has anyone done
something similiar before, and if so, what worked for you?
2. Does the
RoleGroups concept within JBossSX offer the capability of doing this without all
of my custom coding, or does it just search over all groups for a role "foo"
without any specific role group context being specified ("1/member" vs. just
"member").
3. If JBossSX
doesn't quite support this without customizations, what is the best
customization approach to be able to do these things above so that I can get the
web and EJB tier as close as possible to each other in the format of security
checks they use. I know that the web tier is the most painful, since JBoss
offers ways to customize the EJB security checks whereas the web tier is a
little more locked in and API more limiting. That is the reason why I was
thinking of a smarter principal being used to make the web tier checks a little
more sophisticated.
I don't mind doing
some custom JBoss extensions, as I will be using JBoss
specifically and don't mind locking into JBoss.
Thanks in
advance,
James
�
