• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Authorization - best practice?

 
Per Lindberg
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In a large application with lots of different users and data, there is often need to restrict what the users can see and do with the data.

The role-based authorization in JEE is nice, but I have the impression that it's not fine-grained enough. I want to have permissions (rights) like in SQL or a file system. For example "A grants B to do C on D". I can't see how EJB @RolesAllowed can be of any help for that.

So I guess that I need some sort of authorization framework. Do I really have to re-invent the wheel or is there a canonical framework that everybody uses for this?


 
Ankit Tripathi
Ranch Hand
Posts: 199
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think it is not possible to do so in java.
May be any third party implementation can help you....
Check this link. webpage
 
Per Lindberg
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the tip, Ankit. But I doubt that JAAS is the solution here. Isn't it designed to authorize users to run certain code parts, not access certain data?

 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are you looking for an API to use in the Java code, or something that works on a deeper level right in the DB?

You're right that the mechanisms Java comes with (EJB roles, web app roles, JAAS, etc.) can only protect code, not data. That's to be expected, though, since code is what the JVM deals with.

To a certian degree you could use DB approaches, like defining DB users along with appropriate rights and privileges. That still wouldn't help if data for several users is in a single table, though (unless all DB access happens through stored procedures, and the access checks are handled in those - that would still require code, though).
 
Per Lindberg
Ranch Hand
Posts: 48
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The latter. As I said, I want to "restrict what the users can see and do with the data". More specifically, "I want to have permissions (rights) like in SQL or a file system".

I already have authenticated User objects, of course. Now I want to restrict them to see or change only some of the data. Users should be able to create data and set permissions for others on them.

Perhaps I could just make some subclasses of java.security.Permission make them Entities in my JPA datastore, and runs checks on those...? Or is there a canonical framework for implementing this kind of thing?

 
kritika das
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for this thread, i got some information that i needed. thanks again to everyone.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic