• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Java EE 6 Cookbook - Role based security ?

 
Ranch Hand
Posts: 572
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Does the book talk about how to implement role based security in a dynamic manner ?
Most books i see simply reiterate the standard jaas method of creating roles in the web config .

I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad but JAAS doesn't seem to allow dynamic user creation and role allocation such as an admin might do when adding a new user to a system.

Thanks,
Paul
 
author
Posts: 37
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

paul nisset wrote:Hi,
Does the book talk about how to implement role based security in a dynamic manner ?
Most books i see simply reiterate the standard jaas method of creating roles in the web config .

I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad but JAAS doesn't seem to allow dynamic user creation and role allocation such as an admin might do when adding a new user to a system.

Thanks,
Paul


I talk a bit about role based security but do not go into depth on DB, LDAP etc for those roles.
Most of the recipe's take a different view on what security to teach. So I wanted to go into details about the types of security exploits facing Java EE and Mobile applications such as XSS, Sql Injection, decompiliation etc.
I talk about several application that are available to perform security audits on applications such as SkipFish, L0phtCrack and WebSlayer just to name a few.

This subject actually really scared me as to what is available to would-be exploiters. This gives great insight as to things that every developer should be concerned with.

 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

paul nisset wrote:
I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad


I'm curious - why is it considered bad?
 
paul nisset
Ranch Hand
Posts: 572
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

.... as to what is available to would-be exploiters. This gives great insight as to things that every developer should be concerned with.



Sound like it.
While not exactly what I was asking about, still very useful stuff.

Thanks,
Paul
 
paul nisset
Ranch Hand
Posts: 572
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jaikiran,

This is my interpretation.

Suppose I only want an administrator to have access to the page "fileimporter.jsp"

Consider the following code from the web.xml file:


It limits access to the page to role "Admin" that is defined at the application level . elsewhere in the config ,the role "admin" is tied to a Principal that the person has to log in as.
This is all handled without ever touching a database.

The application will check at the application level via JAAS whether the current user has been authorized as being in the role "admin".
The database is never touched. The application will not serve up fileimporter.jsp unless JAAS says "yes this person is currently in the admin role".

Doing it via a database , the page isn't necessarily filtered to not be served . A servlet has to check a session variable that is set via a db query and passed around the application .
There is more opportunity for it to be hacked.

-Paul
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Doing it via a database , the page isn't necessarily filtered to not be served . A servlet has to check a session variable that is set via a db query and passed around the application .
There is more opportunity for it to be hacked.


JAAS can be backed by a database store and using a database store doesn't mean that you are bypassing JAAS. There won't be any changes to the web.xml that you posted if you used database to store the role information. You can configure your JAAS login module(s) to use a database store to check the authorization information. There's no need for a session variable to be setup.
 
paul nisset
Ranch Hand
Posts: 572
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jaikiran,
Sorry if you (or anybody) got my duplicate post earlier today.

JAAS can be backed by a database store and using a database store doesn't mean that you are bypassing JAAS.



Thanks for the info . This is something I will look into.

-Paul
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic