This week's book giveaway is in the Agile and other Processes forum.
We're giving away four copies of The Mikado Method and have Ola Ellnestam and Daniel Brolund on-line!
See this thread for details.
The moose likes Security and the fly likes JAAS and rdbms driven policy Big Moose Saloon
  Search | Java FAQ | Recent Topics
Register / Login


Win a copy of The Mikado Method this week in the Agile and other Processes forum!
JavaRanch » Java Forums » Engineering » Security
Reply Bookmark "JAAS and rdbms driven policy" Watch "JAAS and rdbms driven policy" New topic
Author

JAAS and rdbms driven policy

Chaitanya Wankhede
Greenhorn

Joined: Jan 29, 2004
Posts: 3
posted private message
0
Quote
Hello
I am using JAAS in my web application. I have managed the authentication part well. For authorisation, I have used the policy files on the file system. However, the requirement is that the policy be database driven. The policies decide which usergroup has what permission. Are there any examples to implement the same?
Thanks
Chaitanya
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
posted private message
0
Quote
Hi Chaitanya,
I take it you decided the form-based login approach is insufficient for your needs. I came to the same conclusion and used JAAS for authentication too. Once you perform your own authentication, you disable the web containers ability to perform declarative access control, and must do everything yourself (unless you programmatically create the same login token used by said conatiner and stuff it into a cookie/url rewrite).
I know in WebSphere that once you try to intoduce a RDBMS-based persmission scheme, you are on your own. I assume other containers are similar.
Given this, my plan is to have a base action class (I'm using struts, use a front-controller or filter otherwise) that will enforce that each request contains an authenticated user (if the resource is protected), and verify their role is allowed to access it (via DB lookup, etc). The problem I have is how to define which resources are protected. Perhaps I will use an XML file with a format similar to web.xml; or perhaps each action should be stored in the DB and a join between the user/role/action tables would determine access.
What do you think? Let's brainstorm together...
--Dave.
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
posted private message
0
Quote
Sorry - I said base action class when I meant to say base action servlet. This servlet is registered in web.xml and delegates to the standard struts impl once access control is enforced.
Charles GAY
Greenhorn

Joined: Jun 11, 2004
Posts: 18
posted private message
0
Quote
hi, i think you should look towards jGuard to fulfills your needs:
http://sourceforge.net/projects/jguard

sincerly yours,

charles(jGuard team).
 
I agree. Here's the link: http://zeroturnaround.com/jrebel - it saves me about five hours per week
 
subject: JAAS and rdbms driven policy
 
Similar Threads
Need help-Authorization
Why JAAS ?
which framework to use (JAAS, JCE, JSSE)
Question about JAAS
Client Side Authentication