aspose file tools*
The moose likes Security and the fly likes RBAC (Role based access) Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "RBAC (Role based access)" Watch "RBAC (Role based access)" New topic
Author

RBAC (Role based access)

Sirisha Reddy
Ranch Hand

Joined: Jun 09, 2003
Posts: 75
Hi
I am looking for pointers for ROLE Based authentication implentation for java-jsp/servlet architecture.

Currently there is a role based schema in an Oracle table and I am implementing security logic in J2EE application based on the schema, for diff users.

Looking for good documentation for access control architecture on server side.

Thanks for the help

Siri.


SCJP 1.4
Thomas Olausson
Greenhorn

Joined: Feb 08, 2003
Posts: 23
Is there any chance you can migrate this data to LDAP?
If you put users/roles in a LDAP server, such as OpenLDAP, active directory, secureway, you can use the LDAP "User registry" in Websphere App Server.

With web apps you control login with security entries in web.xml.
According to the j2ee spec:
http://java.sun.com/webservices/docs/1.3/tutorial/doc/Security4.html

In a servlet, you can do


In JSPs you can do similar, or use appropriate JSTL/struts tags.

There's a WAS overview here
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/welc_security.html

If you can't migrate to LDAP, you can write a Custom User Registry.
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/tsec_tbucs.html
That page has a sample with a file based user reg, but it shows you what interface you need to implement.

In your webpages and servlets, you would still be able to do isUserInRole()..., because this interface goes through the JAAS layer. It's transparent to the programmer.
If you later migrate to LDAP, you don't need to change apps, but rather how users/roles are stored.

A lot of developers (including me!) wrote their own "JAAS layers".
It's meaningless to run an app server and write these layers yourself.

Hope that helps,

Regards,
/Tom
Charles GAY
Greenhorn

Joined: Jun 11, 2004
Posts: 18
hi,
i think you should have a look towards jGuard (http://sourceforge.net/projects/jguard).
this secrity framework enables a JAAS(RBAC principle) integration into a j2ee environment.
the upcoming (scheduled to the end of th week) 0.63 release will enable an RBAC management through databases (Oracle, PostgreSQL or mySQL), for the authentication purpose.
the authorisation part through databases will come into the 0.64 release.
authentication and autorisation parts can be configured also through Xml files.

hope this helps,

charles gay(jGuard team).
 
Consider Paul's rocket mass heater.
 
subject: RBAC (Role based access)