Meaningless Drivel is fun!
The moose likes Security and the fly likes JAAS and rdbms driven policy Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "JAAS and rdbms driven policy" Watch "JAAS and rdbms driven policy" New topic

JAAS and rdbms driven policy

Chaitanya Wankhede

Joined: Jan 29, 2004
Posts: 3
I am using JAAS in my web application. I have managed the authentication part well. For authorisation, I have used the policy files on the file system. However, the requirement is that the policy be database driven. The policies decide which usergroup has what permission. Are there any examples to implement the same?
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
Hi Chaitanya,
I take it you decided the form-based login approach is insufficient for your needs. I came to the same conclusion and used JAAS for authentication too. Once you perform your own authentication, you disable the web containers ability to perform declarative access control, and must do everything yourself (unless you programmatically create the same login token used by said conatiner and stuff it into a cookie/url rewrite).
I know in WebSphere that once you try to intoduce a RDBMS-based persmission scheme, you are on your own. I assume other containers are similar.
Given this, my plan is to have a base action class (I'm using struts, use a front-controller or filter otherwise) that will enforce that each request contains an authenticated user (if the resource is protected), and verify their role is allowed to access it (via DB lookup, etc). The problem I have is how to define which resources are protected. Perhaps I will use an XML file with a format similar to web.xml; or perhaps each action should be stored in the DB and a join between the user/role/action tables would determine access.
What do you think? Let's brainstorm together...
Dave Teare
Ranch Hand

Joined: Oct 09, 2002
Posts: 80
Sorry - I said base action class when I meant to say base action servlet. This servlet is registered in web.xml and delegates to the standard struts impl once access control is enforced.
Charles GAY

Joined: Jun 11, 2004
Posts: 18
hi, i think you should look towards jGuard to fulfills your needs:

sincerly yours,

charles(jGuard team).
I agree. Here's the link:
subject: JAAS and rdbms driven policy
It's not a secret anymore!