dcsimg
(JAAS) Role based access control in Java: good enough?
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   cyber_gui
Posted On:   Thursday, August 9, 2001 10:11 PM

I'm working on a user management system for my J2ee application. The idea is we can restrict users by granting permissions for certain operations on certain resources. As far I see there is an API in J2EE which exactly fits here -JAAS. But the only problem i see is that all the policy information( permissions, roles, users, etc) are stored in a flat file.


So scalablity is out of question. Is there any way to use JAAS but store the policy info in a DB? Your response is highly appriciated!

Re: (JAAS) Role based access control in Java: good enough?

Posted By:   Edmundas_Miseikis  
Posted On:   Friday, August 10, 2001 03:24 PM


To bypass the default Policy class, which reads permissions from flat file, you have to develop your own set of modules, including LoginModule, Principal, Permission, PermissionCollection, and Policy classes. getPermissions method in your Policy class will return a collection of permissions avalable for your Subject, authenticated in a corresponding LoginModule. With the custom Policy class you can control permissions at user or role level.


Both LoginModule and Policy classes can get user/role data from the database (and combine it with data from other authentication servers, like RADIUS). In multi-tiered enterprise application (browser/servlets/EJB/DB) it is a little bit tricky (but possible) to handle authentication callbacks.


see also:

http://java.sun.com/security/jaas/doc/module.html

http://java.sun.com/security/jaas/faq.html

About | Sitemap | Contact