Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Java EE 6 Cookbook - Role based security ?

 
paul nisset
Ranch Hand
Posts: 225
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
Does the book talk about how to implement role based security in a dynamic manner ?
Most books i see simply reiterate the standard jaas method of creating roles in the web config .

I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad but JAAS doesn't seem to allow dynamic user creation and role allocation such as an admin might do when adding a new user to a system.

Thanks,
Paul
 
Mick Knutson
author
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
paul nisset wrote:Hi,
Does the book talk about how to implement role based security in a dynamic manner ?
Most books i see simply reiterate the standard jaas method of creating roles in the web config .

I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad but JAAS doesn't seem to allow dynamic user creation and role allocation such as an admin might do when adding a new user to a system.

Thanks,
Paul

I talk a bit about role based security but do not go into depth on DB, LDAP etc for those roles.
Most of the recipe's take a different view on what security to teach. So I wanted to go into details about the types of security exploits facing Java EE and Mobile applications such as XSS, Sql Injection, decompiliation etc.
I talk about several application that are available to perform security audits on applications such as SkipFish, L0phtCrack and WebSlayer just to name a few.

This subject actually really scared me as to what is available to would-be exploiters. This gives great insight as to things that every developer should be concerned with.

 
Jaikiran Pai
Marshal
Pie
Posts: 10444
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
paul nisset wrote:
I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad

I'm curious - why is it considered bad?
 
paul nisset
Ranch Hand
Posts: 225
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

.... as to what is available to would-be exploiters. This gives great insight as to things that every developer should be concerned with.


Sound like it.
While not exactly what I was asking about, still very useful stuff.

Thanks,
Paul
 
paul nisset
Ranch Hand
Posts: 225
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jaikiran,

This is my interpretation.

Suppose I only want an administrator to have access to the page "fileimporter.jsp"

Consider the following code from the web.xml file:


It limits access to the page to role "Admin" that is defined at the application level . elsewhere in the config ,the role "admin" is tied to a Principal that the person has to log in as.
This is all handled without ever touching a database.

The application will check at the application level via JAAS whether the current user has been authorized as being in the role "admin".
The database is never touched. The application will not serve up fileimporter.jsp unless JAAS says "yes this person is currently in the admin role".

Doing it via a database , the page isn't necessarily filtered to not be served . A servlet has to check a session variable that is set via a db query and passed around the application .
There is more opportunity for it to be hacked.

-Paul
 
Jaikiran Pai
Marshal
Pie
Posts: 10444
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Doing it via a database , the page isn't necessarily filtered to not be served . A servlet has to check a session variable that is set via a db query and passed around the application .
There is more opportunity for it to be hacked.

JAAS can be backed by a database store and using a database store doesn't mean that you are bypassing JAAS. There won't be any changes to the web.xml that you posted if you used database to store the role information. You can configure your JAAS login module(s) to use a database store to check the authorization information. There's no need for a session variable to be setup.
 
paul nisset
Ranch Hand
Posts: 225
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jaikiran,
Sorry if you (or anybody) got my duplicate post earlier today.

JAAS can be backed by a database store and using a database store doesn't mean that you are bypassing JAAS.


Thanks for the info . This is something I will look into.

-Paul
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic