Data Access control in J2EE technologies

Hi Guys,

I am working on a project that requires that i implement a mechanism for controlling data access to the content that is displayed on the pages of a Struts based web application.

First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.

I am intersted to know of the different approaches/frameworks out there to implementing "data access" control. Is there a framework out there for this kind of thing?

Im thinking to do this the controls/privileges need to be configured (i.e. data access categories, users etc) somewhere probably in the database. The rules can get quite complicated so im wondering whether there is already a framework that i can use to accomplish this rather than implementing it from scratch.

Thinking about how it will work, the rules the govern the access are very specific to our business domain so i am not really sure whether it is possible if there is any third party framework that i can use that is very generic and will allow the rules to be configured.


Thanks

ps. I have posted this on another forum as well - http://forums.sun.com/thread.jspa?threadID=5445458

Hello,

"Virtual Private Database" from Oracle might be suitable for u...


Please check ...

O. Ziggy wrote:Hi Guys,

I am working on a project that requires that i implement a mechanism for controlling data access to the content that is displayed on the pages of a Struts based web application.

First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.

Couldn't you use request.isUserInRole() to check the identity of the user made the request, and send back a response based on that?

If you did configure users correctly in the <security-constraint> in the web.xml, the user's role will be recognized and subsequent pages can use this information to display different information. Why use another framework and add one more layer of complexity? That will give you a new problem rather than solving an existing problem.

I would stick to the traditional, recommended J2EE technologies that everybody is using. I think that's wiser in your case.

I don't know struts but it must store this user role information somewhere in the http request; retrieve this info, process it in the execute() (or some time before you send response back), and return the proper info as a request param. Old school but safe and sound, and everybody understands the process.

Please let me know how it turns out, and if my suggestion is of any value in practice.

...where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.

How this can be implemented will primarily depend upon the data storage system and the type of data. In regards to relational data, for example, you could store data access rules in a database and refer to these when executing data queries. The data that is returned by the database system is controlled by the mechanisms on the SQL query. So, the design of the web pages that display the data need to take theve potential variances into consideration.

... In regards to relational data, for example, you could store data access rules in a database and refer to these when executing data queries. The data that is returned by the database system is controlled by the mechanisms on the SQL query. So, the design of the web pages that display the data need to take theve potential variances into consideration.

So is it better to implement the security constraint in J2EE or in the database system? can you elaborate on how to implement security on the database system "by the medhanisms on the SQL query"?

In the latter case, do I need to worry about SQL injection attack?

You can't say one is "better" than the other. Everything should depend upon the security requirements of the system and then the business requirements of the system. For any real system in the real-world you most likely will implement security constraints in the relational database management system AND the business application.

Security is implemented in various ways in various relational database management systems. Security mechanisms can be place on roles, and users are assigned one or more roles. Hence the activities of the users including their SQL queries are controlled be the security mechanisms attached to the roles within the RDBMS.

You should be concernced about preventing SQL Injection Attack abilities in all cases. This. is a fundamental design task. SQL Injection Attacks are typically only possible in poorly designed systems.