*
The moose likes Security and the fly likes Fine grained access control Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Fine grained access control" Watch "Fine grained access control" New topic
Author

Fine grained access control

Robin Wilson
Greenhorn

Joined: May 10, 2006
Posts: 22
In a typical access control model (ie. JAAS), access to an "object" or functions is controlled. I have a need to control access based on the properties of the requested/returned data, and the attributes of the user (Principal/Subject) making the request. For example:

User_A can access Application_A, and perform all functions contained in that application. However, if User_A requests data that contains his own "Customer Number", he is not allowed to change the data, nor even access the data.

A real-world example of this would be a representative of a credit card processing company can normally process credit card transactions, but if the transaction is for his own card number, he can't process those transactions because there would be a conflict of interest.

Now, if the user's "Subject" contains a list of credit cards that the representative personally "owns", any request for a new transaction could compare the Subject's "owned cards" against the card number from the transaction data, and deny access for that card.

There are 2 possible scenarios for managing this as an access control issue:

1) The card number of the transaction is part of the request from
the application when the user asks to process a new transaction.
In this case, the request could be denied before any data is
collected to respond to the request. (Call this a "pre-eval" for
access control.)

2) The card number of the transaction isn't known until after the
data is being collected for the response. The request is based on
some other attribute of the transaction (e.g. trans number), so
the request doesn't even know what the card number is. (Call this
a "post-eval" for access control.)

So, the question is... "What are my options for implementing such a solution?" Is there a standard already in existence (XACML, SAML, etc.) that provides this level of fine-grained access control automatically, or do I have to build this from scratch?

In the past, I have implemented such features by embedding fine-grained access control logic in the application's business logic. I'd like to abstract this (the same way that JAAS abstracts role-based access controls) from the application entirely - so that the container can be configured to manage fine-grained access control policies, without modifying the application logic...


--<br />Robin D. Wilson
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Fine grained access control
 
Similar Threads
My SCEA Part 1Study Notes
Passed Part One with 87%
Login/customer account topic questions
Mr.Kyte, could you introduce a little about your book?
Can only return type Iterable from DataStore