In a large application with lots of different users and data, there is often need to restrict what the users can see and do with the data.
The role-based authorization in JEE is nice, but I have the impression that it's not fine-grained enough. I want to have permissions (rights) like in SQL or a file system. For example "A grants B to do C on D". I can't see how EJB @RolesAllowed can be of any help for that.
So I guess that I need some sort of authorization framework. Do I really have to re-invent the wheel or is there a canonical framework that everybody uses for this?
Joined: Oct 17, 2009
I think it is not possible to do so in java.
May be any third party implementation can help you....
Check this link. webpage
Joined: Jan 17, 2008
Thanks for the tip, Ankit. But I doubt that JAAS is the solution here. Isn't it designed to authorize users to run certain code parts, not access certain data?
Joined: Mar 22, 2005
Are you looking for an API to use in the Java code, or something that works on a deeper level right in the DB?
You're right that the mechanisms Java comes with (EJB roles, web app roles, JAAS, etc.) can only protect code, not data. That's to be expected, though, since code is what the JVM deals with.
To a certian degree you could use DB approaches, like defining DB users along with appropriate rights and privileges. That still wouldn't help if data for several users is in a single table, though (unless all DB access happens through stored procedures, and the access checks are handled in those - that would still require code, though).
The latter. As I said, I want to "restrict what the users can see and do with the data". More specifically, "I want to have permissions (rights) like in SQL or a file system".
I already have authenticated User objects, of course. Now I want to restrict them to see or change only some of the data. Users should be able to create data and set permissions for others on them.
Perhaps I could just make some subclasses of java.security.Permission make them Entities in my JPA datastore, and runs checks on those...? Or is there a canonical framework for implementing this kind of thing?
Joined: Jun 17, 2011
Thanks for this thread, i got some information that i needed. thanks again to everyone.