• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

JAAS authorization in simple architecture

 
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Dear All,
I have a question concerning authorization strategies for Web tier. My assumptions:
1. Web tier is implemented using JSP or Velocity templates
2. Model is stored in the DB using ORM tool (Hibernate)
3. Model is directly accessable by the web tier, i.e. controller (Strust) get the model from the ORM and put in in the request context where it's accessed (readed) by JSP or Velocity templates.

I'm trying to implement security using JAAS and my security implementation is based on following assumptions:
1. No hardcoded policies - every access to the data (read or write) should be checked by the JAAS
2. I can't put JAAS permissions checks in the model because it's being readed and changed by ORM tool (for example during load of data from the database Hibernate creates an instance and then calls setter methods to fill object with data) therefore I need to put security checks (runAsPrivileged) to all controller (in MVC sence) classes which is not possible because I'm using Velocity which is reflection based;

So, I can't employ JAAS in my case
What is my mistake?
 
Ranch Hand
Posts: 86
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Renat,
Please look at jGuard; and post your findings.
We're studying the framework too.

Cheers,
Ryan
 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,
you should have a look at http://sourceforge.net/projects/jguard
my project (jGUard) resolve your problem (enable JAAS use for j2ee).
sincerly yours,
charles(diabolo512)
 
Renat Zubairov
Greenhorn
Posts: 29
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Ryan,

I've looked on it. It's quite ok, but it didn't solve my problem (as far as I figure out). BTW I'm need instance based authorization;
My problem is that I can't put a permission checking code in the model classes because those classes are modified not only by the clients (via controllers) but also by the ORM tool during load from the DB.
Example I have a model class:


If I put a permission checks in it it would looks like


Then I've got an exception because my ORM tool (Hibernate) trying to instantiate and set a values from database. But Hibernate is not authorized (and it shouldnt I guess).

I've found one (bad) solution - put checks in the controller classes but this is really bad solution.
Another solution is AOP (AspectJ) i.e.
do checks in

But you know, it's not standart solution.
 
Think of how dumb the average person is. Mathematically, half of them are EVEN DUMBER. Smart tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic