aspose file tools*
The moose likes Security and the fly likes Use JAAS for access control. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Use JAAS for access control." Watch "Use JAAS for access control." New topic
Author

Use JAAS for access control.

Matt Brown
Ranch Hand

Joined: Jan 26, 2004
Posts: 70
I have a requirement for a web application that a user can have multiple roles and a role
defines the functional access and data access. For example, an Accounting role can access accounting functions and data while an Engineering role can
access engineering functions and data. An engineer user is only associated
with engineering role and an accountant user is only associated with Accounting
role. A VP user is associated with both Accounting and Engineering roles.

How should I use JAAS to meet the requirement? Does JAAS control access at
class and jar files level?


"I just use my muscles as a conversation piece, like someone walking a cheetah down 42nd Street." - Arnold Schwarzenegger
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42919
    
  68
JAAS can be used for this, but it is involved to set up and use. Have you determined that web app security as used by the Servlet API (which also supports multiple roles per user) does not fit the requirements?
Rahul Bhattacharjee
Ranch Hand

Joined: Nov 29, 2005
Posts: 2308
I think J2EE web security infrastructure is sufficient for this.
I have used JAAS quite effectively for authentication , but faced a lot of trouble (terms of complexity) for authorization.

I have a short note on JAAS.You might want to have a look.


Rahul Bhattacharjee
LinkedIn - Blog
Matt Brown
Ranch Hand

Joined: Jan 26, 2004
Posts: 70
Originally posted by Rahul Bhattacharjee:
I think J2EE web security infrastructure is sufficient for this.
I have used JAAS quite effectively for authentication , but faced a lot of trouble (terms of complexity) for authorization.

I have a short note on JAAS.You might want to have a look.


We are not using the authentication part of JAAS b/c the users are using digital certs (not the user id/password)to authenticate with a hardware device (e.g., SSL accelerator). We are trying to use the authorization part of it.

I forgot to tell another requirement: all the roles and users must be created and managed
with a UI to allow non-technical administrator to work on it. How does the policy files of JASS fit here.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Use JAAS for access control.