In a large application with lots of different users and data, there is often need to restrict what the users can see and do with the data.
The role-based authorization in JEE is nice, but I have the impression that it's not fine-grained enough. I want to have permissions (rights) like in SQL or a file system. For example "A grants B to do C on D". I can't see how EJB @RolesAllowed can be of any help for that.
So I guess that I need some sort of authorization framework. Do I really have to re-invent the wheel or is there a canonical framework that everybody uses for this?
Are you looking for an API to use in the Java code, or something that works on a deeper level right in the DB?
You're right that the mechanisms Java comes with (EJB roles, web app roles, JAAS, etc.) can only protect code, not data. That's to be expected, though, since code is what the JVM deals with.
To a certian degree you could use DB approaches, like defining DB users along with appropriate rights and privileges. That still wouldn't help if data for several users is in a single table, though (unless all DB access happens through stored procedures, and the access checks are handled in those - that would still require code, though).
The latter. As I said, I want to "restrict what the users can see and do with the data". More specifically, "I want to have permissions (rights) like in SQL or a file system".
I already have authenticated User objects, of course. Now I want to restrict them to see or change only some of the data. Users should be able to create data and set permissions for others on them.
Perhaps I could just make some subclasses of java.security.Permission make them Entities in my JPA datastore, and runs checks on those...? Or is there a canonical framework for implementing this kind of thing?