Hello I am using JAAS in my web application. I have managed the authentication part well. For authorisation, I have used the policy files on the file system. However, the requirement is that the policy be database driven. The policies decide which usergroup has what permission. Are there any examples to implement the same? Thanks Chaitanya
Hi Chaitanya, I take it you decided the form-based login approach is insufficient for your needs. I came to the same conclusion and used JAAS for authentication too. Once you perform your own authentication, you disable the web containers ability to perform declarative access control, and must do everything yourself (unless you programmatically create the same login token used by said conatiner and stuff it into a cookie/url rewrite). I know in WebSphere that once you try to intoduce a RDBMS-based persmission scheme, you are on your own. I assume other containers are similar. Given this, my plan is to have a base action class (I'm using struts, use a front-controller or filter otherwise) that will enforce that each request contains an authenticated user (if the resource is protected), and verify their role is allowed to access it (via DB lookup, etc). The problem I have is how to define which resources are protected. Perhaps I will use an XML file with a format similar to web.xml; or perhaps each action should be stored in the DB and a join between the user/role/action tables would determine access. What do you think? Let's brainstorm together... --Dave.
Joined: Oct 09, 2002
Sorry - I said base action class when I meant to say base action servlet. This servlet is registered in web.xml and delegates to the standard struts impl once access control is enforced.