File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes Authorization - best practice? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Authorization - best practice?" Watch "Authorization - best practice?" New topic

Authorization - best practice?

Per Lindberg
Ranch Hand

Joined: Jan 17, 2008
Posts: 48
In a large application with lots of different users and data, there is often need to restrict what the users can see and do with the data.

The role-based authorization in JEE is nice, but I have the impression that it's not fine-grained enough. I want to have permissions (rights) like in SQL or a file system. For example "A grants B to do C on D". I can't see how EJB @RolesAllowed can be of any help for that.

So I guess that I need some sort of authorization framework. Do I really have to re-invent the wheel or is there a canonical framework that everybody uses for this?

Ankit Tripathi
Ranch Hand

Joined: Oct 17, 2009
Posts: 199
I think it is not possible to do so in java.
May be any third party implementation can help you....
Check this link. webpage
Per Lindberg
Ranch Hand

Joined: Jan 17, 2008
Posts: 48
Thanks for the tip, Ankit. But I doubt that JAAS is the solution here. Isn't it designed to authorize users to run certain code parts, not access certain data?

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42959
Are you looking for an API to use in the Java code, or something that works on a deeper level right in the DB?

You're right that the mechanisms Java comes with (EJB roles, web app roles, JAAS, etc.) can only protect code, not data. That's to be expected, though, since code is what the JVM deals with.

To a certian degree you could use DB approaches, like defining DB users along with appropriate rights and privileges. That still wouldn't help if data for several users is in a single table, though (unless all DB access happens through stored procedures, and the access checks are handled in those - that would still require code, though).
Per Lindberg
Ranch Hand

Joined: Jan 17, 2008
Posts: 48
The latter. As I said, I want to "restrict what the users can see and do with the data". More specifically, "I want to have permissions (rights) like in SQL or a file system".

I already have authenticated User objects, of course. Now I want to restrict them to see or change only some of the data. Users should be able to create data and set permissions for others on them.

Perhaps I could just make some subclasses of make them Entities in my JPA datastore, and runs checks on those...? Or is there a canonical framework for implementing this kind of thing?

kritika das

Joined: Jun 17, 2011
Posts: 10
Thanks for this thread, i got some information that i needed. thanks again to everyone.
wood burning stoves
subject: Authorization - best practice?
It's not a secret anymore!