I have a requirement for a web application that a user can have multiple roles and a role defines the functional access and data access. For example, an Accounting role can access accounting functions and data while an Engineering role can access engineering functions and data. An engineer user is only associated with engineering role and an accountant user is only associated with Accounting role. A VP user is associated with both Accounting and Engineering roles.
How should I use JAAS to meet the requirement? Does JAAS control access at class and jar files level?
"I just use my muscles as a conversation piece, like someone walking a cheetah down 42nd Street." - Arnold Schwarzenegger
JAAS can be used for this, but it is involved to set up and use. Have you determined that web app security as used by the Servlet API (which also supports multiple roles per user) does not fit the requirements?
Originally posted by Rahul Bhattacharjee: I think J2EE web security infrastructure is sufficient for this. I have used JAAS quite effectively for authentication , but faced a lot of trouble (terms of complexity) for authorization.
We are not using the authentication part of JAAS b/c the users are using digital certs (not the user id/password)to authenticate with a hardware device (e.g., SSL accelerator). We are trying to use the authorization part of it.
I forgot to tell another requirement: all the roles and users must be created and managed with a UI to allow non-technical administrator to work on it. How does the policy files of JASS fit here.