aspose file tools*
The moose likes EJB and other Java EE Technologies and the fly likes Java EE 6 Cookbook - Role based security ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "Java EE 6 Cookbook - Role based security ?" Watch "Java EE 6 Cookbook - Role based security ?" New topic
Author

Java EE 6 Cookbook - Role based security ?

paul nisset
Ranch Hand

Joined: May 13, 2009
Posts: 177
Hi,
Does the book talk about how to implement role based security in a dynamic manner ?
Most books i see simply reiterate the standard jaas method of creating roles in the web config .

I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad but JAAS doesn't seem to allow dynamic user creation and role allocation such as an admin might do when adding a new user to a system.

Thanks,
Paul
Mick Knutson
author
Ranch Hand

Joined: Jul 10, 2007
Posts: 37
paul nisset wrote:Hi,
Does the book talk about how to implement role based security in a dynamic manner ?
Most books i see simply reiterate the standard jaas method of creating roles in the web config .

I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad but JAAS doesn't seem to allow dynamic user creation and role allocation such as an admin might do when adding a new user to a system.

Thanks,
Paul

I talk a bit about role based security but do not go into depth on DB, LDAP etc for those roles.
Most of the recipe's take a different view on what security to teach. So I wanted to go into details about the types of security exploits facing Java EE and Mobile applications such as XSS, Sql Injection, decompiliation etc.
I talk about several application that are available to perform security audits on applications such as SkipFish, L0phtCrack and WebSlayer just to name a few.

This subject actually really scared me as to what is available to would-be exploiters. This gives great insight as to things that every developer should be concerned with.


... Mick Knutson
http://baselogic.com - [Java EE6 Cookbook for securing, tuning, and extending enterprise applications (PACKT)] - [Java EE6 Cookbook (PACKT) (on Amazon)]
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10288
    
168

paul nisset wrote:
I've used database driven roles ( ie the users role is defined in a table in a database ,they log in and that determines their role in the app) .
I'm told this is bad

I'm curious - why is it considered bad?

[My Blog] [JavaRanch Journal]
paul nisset
Ranch Hand

Joined: May 13, 2009
Posts: 177

.... as to what is available to would-be exploiters. This gives great insight as to things that every developer should be concerned with.


Sound like it.
While not exactly what I was asking about, still very useful stuff.

Thanks,
Paul
paul nisset
Ranch Hand

Joined: May 13, 2009
Posts: 177
Hi Jaikiran,

This is my interpretation.

Suppose I only want an administrator to have access to the page "fileimporter.jsp"

Consider the following code from the web.xml file:


It limits access to the page to role "Admin" that is defined at the application level . elsewhere in the config ,the role "admin" is tied to a Principal that the person has to log in as.
This is all handled without ever touching a database.

The application will check at the application level via JAAS whether the current user has been authorized as being in the role "admin".
The database is never touched. The application will not serve up fileimporter.jsp unless JAAS says "yes this person is currently in the admin role".

Doing it via a database , the page isn't necessarily filtered to not be served . A servlet has to check a session variable that is set via a db query and passed around the application .
There is more opportunity for it to be hacked.

-Paul
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10288
    
168

Doing it via a database , the page isn't necessarily filtered to not be served . A servlet has to check a session variable that is set via a db query and passed around the application .
There is more opportunity for it to be hacked.

JAAS can be backed by a database store and using a database store doesn't mean that you are bypassing JAAS. There won't be any changes to the web.xml that you posted if you used database to store the role information. You can configure your JAAS login module(s) to use a database store to check the authorization information. There's no need for a session variable to be setup.
paul nisset
Ranch Hand

Joined: May 13, 2009
Posts: 177
Hi Jaikiran,
Sorry if you (or anybody) got my duplicate post earlier today.

JAAS can be backed by a database store and using a database store doesn't mean that you are bypassing JAAS.


Thanks for the info . This is something I will look into.

-Paul
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Java EE 6 Cookbook - Role based security ?