Dear All,
I have a question concerning authorization strategies for Web tier. My assumptions:
1. Web tier is implemented using
JSP or Velocity templates
2. Model is stored in the DB using ORM tool (Hibernate)
3. Model is directly accessable by the web tier, i.e. controller (Strust) get the model from the ORM and put in in the request context where it's accessed (readed) by JSP or Velocity templates.
I'm trying to implement security using JAAS and my security implementation is based on following assumptions:
1. No hardcoded policies - every access to the data (read or write) should be checked by the JAAS
2. I can't put JAAS permissions checks in the model because it's being readed and changed by ORM tool (for example during load of data from the database Hibernate creates an instance and then calls setter methods to fill object with data) therefore I need to put security checks (runAsPrivileged) to all controller (in MVC sence) classes which is not possible because I'm using Velocity which is reflection based;
So, I can't employ JAAS in my case
What is my mistake?