Re: Using @RolesAllowed for Role Based Access Control

Nicholas L Gallardo Wed, 15 Jul 2009 07:42:12 -0700

> My initial thought was to use isUserInRole interface regardless how the
> user/role relationship was defined.

+1 to that...  It's a standard interface that we know MUST be supported by
the various containers.

> Btw, I think that web.xml contains the roles definitions, while user/role
>relationships are defined in container.

Ah, thanks.

So, just to make sure I'm understanding it correctly.

1. The JSR-250 annotation defines what roles will be supported by each
operation.

2. At runtime, before we invoke we check for the presence of the annotation
and then check the contents against isUserInRole().  If it passes, all is
good.  If it fails...  I'm assuming there's a standard error that needs to
be returned for authorization failed (looks like HTTP 401 -
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html).

3. The user will be responsible for defining user->role mapping in a
container specific manner.

-Nick

Nicholas Gallardo
WebSphere  - REST & WebServices Development
[email protected]
Phone: 512-286-6258
Building: 903 / 5G-016

             Michael Elman                                             
             <[email protected]                                         
             >                                                          To
                                       [email protected]   
             07/15/2009 01:34                                           cc
             AM                                                        
                                                                   Subject
                                       Re: Using @RolesAllowed for Role
             Please respond to         Based Access Control            
             wink-...@incubato                                         
               r.apache.org                                            

My initial thought was to use isUserInRole interface regardless how the
user/role relationship was defined.
Actually the call for isUserInRole must have the ability for an extension,
so the users could override it with the specific behavior (most
applications
that I know, provide their own authorization mechanism, so we should be
able
to integrate)

Btw, I think that web.xml contains the roles definitions, while user/role
relationships are defined in container.

On Tue, Jul 14, 2009 at 5:58 PM, Nicholas L Gallardo
<[email protected]>wrote:

> Does the web.xml have stanzas for defining user/role relationships? Or
> would this have to come from some other config?
>
>
>
> Nicholas Gallardo
> WebSphere - REST & WebServices Development
> [email protected]
> Phone: 512-286-6258
> Building: 903 / 5G-016
> [image: Inactive hide details for Michael Elman
<[email protected]>]Michael
> Elman <[email protected]>
>
>
>
>     *Michael Elman <[email protected]>*
>
>             07/14/2009 09:55 AM
>             Please respond to
>             [email protected]
>
>
> To
>
> [email protected]
> cc
>
>
> Subject
>
> Re: Using @RolesAllowed for Role Based Access Control
>
> We have plans to support the security annotations from JSR 250. But we
> didn't discuss it yet.
>
> On Tue, Jul 14, 2009 at 4:58 PM, Jain, Shashank
> Mohan<[email protected]> wrote:
> > Do we have support Role Based Access Control for different Restful
> endpoints.
> > Regards
> > Shashank
>
>

Re: Using @RolesAllowed for Role Based Access Control

Reply via email to