JAAS to implement class level or method level Authorization in a Desktop App
Vivek K Gupta
Joined: Oct 24, 2009
I am a student and I am trying to develop a role based Java desktop application for my project using Aspect Oriented Programming (AspectJ). After doing some research, I found that JAAS provides user based authorization. I have gone through some of the online materials and have successfully managed to get authentication bit working. The application so far asks for username and password (using sun's DialogCallbackHandler) and validates it against the username and password stored in a database (had to implement a new login module to add this functionality as this is not provided by sun's existing login modules).
Now JAAS supports Principal based authorization and I am trying to implement class as well as method based authorization. In my application, I will have a class Student which is a GUI form (with various other GUI classes) which retrieves information of students present in the database. Now not every user should be able to view student records i.e. in one way should not be able to create an instance of the class Student. Again if user can view records then he/she may be allowed only to view the records and not update or delete any of them i.e. methods such as update or delete will not be accessible to the user. As for now I am struggling to implement Class based authorization and need some help in this. Once I can get this working then I can focus on Method level authorization.
Could anyone give me some pointers what I need to do in-order to implement class or method level authorization (whichever is easier) or any-resource which might help me in this.
Please remember that this is a desktop application and not web application.
Looking forward to your reply.
Many Thanks for your help.
Joined: Mar 22, 2005
Welcome to JavaRanch.
I'm not certain that class-based or method-based authorization makes much sense. While there are sure to be some classes/methods that should only be called for users with particular privileges, it's more common that a given class/method handles all users and makes explicit distinctions in the code based on the user Principal.
If nonetheless you want to prevent some methods to be entered at all, then that can probably be accomplished using AspectJ with "before" advice that throws an exception if a non-privileged user is running the app. The Principal would need to be passed to the method in question, though, so that the advice method has access to it.