aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes J2EE and Database authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "J2EE and Database authorization" Watch "J2EE and Database authorization" New topic
Author

J2EE and Database authorization

Nauman Hasan
Ranch Hand

Joined: Jul 27, 2005
Posts: 34
Hi all,

I am not sure if this is possible but is there a way that database level authorizations can be exposed to a Java/J2EE application? The particular situation is: I want to expose the existing security roles defined in Oracle to the J2EE application (WAS) such that we can conduct the authorization for CRUD operations on the database tables in the application (I realize that these would duplicated in the database).

Could this be done through extending JAAS? I would think that it would make a difference if we were to have a generic username for db connections vs a username/password for each role)

Thanks you for your help.

Nauman
Valentin Tanase
Ranch Hand

Joined: Feb 17, 2005
Posts: 704
Hi Hasan


I am not sure if this is possible but is there a way that database level authorizations can be exposed to a Java/J2EE application? The particular situation is: I want to expose the existing security roles defined in Oracle to the J2EE application (WAS) such that we can conduct the authorization for CRUD operations on the database tables in the application (I realize that these would duplicated in the database).

Nice question though and I just feel like I should say something about it although I�m not WAS expert :-) On the other hand I worked for quite a few security projects involving JASS & weblogic and I believe that the answer to your question is probably no. Usually the container allows you to pug in different authentication and/or authorization strategies, based on user/groups/roles policies. Also the containers have several such default strategies, which are very convenient. For example weblogic (7.0 and higher) allows configuring LDAP authentication providers. I�d like you to bear with me for a moment and look at how this could be done, in order to understand the complexity of the problem:
  • The sysadmin needs to plug in the security realm. This basically enables weblogic to access the users and groups stored in LDAP (which is external to weblogic). And this should be the easy part :-)
  • Next the sysadmin must find a way to map the security policies defined in deployment descriptors (accordingly to J2EE specifications) to the user/groups/roles maintained in LDAP (and accessed by the container). This is no easy task and mostly requires developing custom components (like RoleMappingProviders).


  • Following your requirements I would say that the first step is mostly not going to be doable: I personally don�t believe that your container will �recognize� the implicit Oracle roles. As for the second one I don�t really imagine doing this without writing specific components. Again only reading the WAS documentation or asking the same question on a specialized WAS forum you can get a clear reply. I�m just answering you first because I feel the complexity of your problem second I really like the subject and third because today I got a more relaxing day in the office and I just feel bored :-)
    Bottom line is that this could be done but only writing custom security providers that basically read the roles, users, groups from oracle (or another configuration source) and map them to J2EE security policies. But if you follow this path you should ask the obvious question "and what for then?"
    Regards.


    I think, therefore I exist -- Rene Descartes
    Nauman Hasan
    Ranch Hand

    Joined: Jul 27, 2005
    Posts: 34
    Thanks Valentin. I appreciate your comments they have clarified things quite a bit for me.

    This one is going back to the drawing board... I liked the idea about the complexity of the problem though and went looking for a product that addressed the requirements... I found jGaurd however it is not clear to me (yet) what jGaurd actually does . I will update here if I find it to be a good solution.

    Thanks again,
    Nauman
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: J2EE and Database authorization