• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAAS and instance based authorisation

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does JAAS provide a solution to instance based authorization? For instance if you have a scenario where where one type of user is able to create orders and another user is able to only view orders, I think JAAS handles this sort of paradigm.
But what if I want to restrict whether a specific instance of a user can view a specific order? Can JAAS handle this?
Thanks in advance.
 
Author
Posts: 42
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by chris kelly:
Does JAAS provide a solution to instance based authorization? For instance if you have a scenario where where one type of user is able to create orders and another user is able to only view orders, I think JAAS handles this sort of paradigm.
But what if I want to restrict whether a specific instance of a user can view a specific order? Can JAAS handle this?
Thanks in advance.


Chris-
You've asked a couple of really good questions!!
I'll try to answer this question and yours from the previous thread all at once (since they both deal with JAAS):
JAAS is somewhat orthagonal to both of your questions... JAAS can be used to help provide single sign on (it can't do it alone) and can help provide the type of authorization that you mention in the quote above.
The way I like to think of it is this:
JAAS is to security authentication and authorization as JDBC is to databases.
JAAS is really only a set of interfaces and some basic guidelines and helper classes. The power in JAAS comes with its underlying LoginModules, Principals and Credentials which (except for the ones provides by Sun with the JDK) are generally expected to be provided by 3rd party vendors. These classes (the third party ones) are the ones that actually do the work of authentication and authorization.
So, let me ask a rhetorical question...
Can JDBC provide pessimistic row locking on a given table? The answer is "kind of..." It'll allow you to do it, but only if the underlying DBMS will allow it or supports it.
It's the same answer to both of your questions. Single sign on can be used with JAAS if you have the pluggable components to support it. Same with fine grained authorization - if you've got the right info in your principal and credential objects, you can do the authorization.
In fact, in our book, there's an example of a JAAS LoginModule that uses a RDBMS for authentication, then implements custom Principal and Credential objects that allow for some pretty fine-grained authorization...
I don't blame you if you're confused by now... Just about every security sales rep I meet throws around the term JAAS with impunity (and usually out of context). It's a great buzzword to use, but unfortunately it's being used out of context enough that it can give people an impression that is is something that it isn't...
If you don't want to blow the coin on our book and help me feed my 2 year old son (is the guilt working? ), the 1.4 JDK docs have some pretty good JAAS documentation and tutorials that should give you a good sense of what's possible and what's not.
Hope this helps.
I think, if there isn't one already, someone could write a whole book on using JAAS and there would still be plenty to say.
Let me know if I can provide more clarification.
 
I can't beleive you just said that. Now I need to calm down with this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic