GeeCON Prague 2014*
The moose likes Security and the fly likes Fine grained access control Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Engineering » Security
Bookmark "Fine grained access control" Watch "Fine grained access control" New topic
Author

Fine grained access control

Robin Wilson
Greenhorn

Joined: May 10, 2006
Posts: 22
In a typical access control model (ie. JAAS), access to an "object" or functions is controlled. I have a need to control access based on the properties of the requested/returned data, and the attributes of the user (Principal/Subject) making the request. For example:

User_A can access Application_A, and perform all functions contained in that application. However, if User_A requests data that contains his own "Customer Number", he is not allowed to change the data, nor even access the data.

A real-world example of this would be a representative of a credit card processing company can normally process credit card transactions, but if the transaction is for his own card number, he can't process those transactions because there would be a conflict of interest.

Now, if the user's "Subject" contains a list of credit cards that the representative personally "owns", any request for a new transaction could compare the Subject's "owned cards" against the card number from the transaction data, and deny access for that card.

There are 2 possible scenarios for managing this as an access control issue:

1) The card number of the transaction is part of the request from
the application when the user asks to process a new transaction.
In this case, the request could be denied before any data is
collected to respond to the request. (Call this a "pre-eval" for
access control.)

2) The card number of the transaction isn't known until after the
data is being collected for the response. The request is based on
some other attribute of the transaction (e.g. trans number), so
the request doesn't even know what the card number is. (Call this
a "post-eval" for access control.)

So, the question is... "What are my options for implementing such a solution?" Is there a standard already in existence (XACML, SAML, etc.) that provides this level of fine-grained access control automatically, or do I have to build this from scratch?

In the past, I have implemented such features by embedding fine-grained access control logic in the application's business logic. I'd like to abstract this (the same way that JAAS abstracts role-based access controls) from the application entirely - so that the container can be configured to manage fine-grained access control policies, without modifying the application logic...


--<br />Robin D. Wilson
 
GeeCON Prague 2014
 
subject: Fine grained access control