Hi I'm building an enterprise enabled (EJB etc) solution for my company. (Well my team is.. ) The problem we have now is that 'security' constraints have blown way out of proportion to initial documents. Initially using the application server's built in security was sufficient. I.E. If this role then execute this method. If you had the proper role to get a list of clients for your division you would be able to see all the clients returned, and, edit them all you wanted. (Kind of like the honour system). Now we need to be more selective. If you, as a user, creates a client only the users in your division can see them. Also only you or someone higher than you in the 'roles hierarchy' can modify or delete this client. Additionally anyone lower then your on the role hierarchy could have SOME of the information with this client hidden. In effect I'm filtering the data already returned by the DB/app server. Now I've analysed some methods of using bitmasks and performing logical operations, but I think my experience is falling a bit short on a real robust solution, even though I do have one. (Too lengthly to post here). What I was wondering is if anyone has built or bought a 'security' or filtering tool to handle just these kinds of scenarios. Thank you for your help in advance.
I have built such a permissions framework in the past. Our requirements were very detailed and expected a lot out of the framework. In general, what we ended up with worked, however, it's complexity and administrative requirements proved to be the framework's achilles heel. Basically, I would be careful about trying to build a generic security system ... I think you will find that in most cases you want something relatively simple to handle the obvious security constraints -- then let the application code doll out the specific business-driven security constraints. Using a bit mask-type approach is a good idea ... this is essentially analogous to the Unix security approach ... also, you may want to look into JAAS (Java Authentication and Authorization Service) ... finally, try and find out exactly what your user's are looking for ... help them understand the difference between security and data accessibility. I have found that in many cases, a role-based security mechanism provides the most flexibility.
Hi John, My team had built something like what you are looking for 3 yr ago. We did not have support from application servers then and hence had to do things from scratch. we stored all kinds of combinations of permissions in terms of rules and stored it in db. (may be XML now) and then built a rule engine. (implementation was a tree based algorithm) Any display on the browser, whether it is a field based access control,or an operation (update/edit/delete) or showing/not showing a functionality itself - had to depend on this rule engine, ie, if and only if rule engine returns true for hasPermission(...), will a particular element come up on the screen. Also, I have worked with security in the context of application servers at the moment. But I am not sure whether this level of customization is available with the application server based security framework