• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

RBAC (Role based access)

 
Ranch Hand
Posts: 75
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi
I am looking for pointers for ROLE Based authentication implentation for java-jsp/servlet architecture.

Currently there is a role based schema in an Oracle table and I am implementing security logic in J2EE application based on the schema, for diff users.

Looking for good documentation for access control architecture on server side.

Thanks for the help

Siri.
 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there any chance you can migrate this data to LDAP?
If you put users/roles in a LDAP server, such as OpenLDAP, active directory, secureway, you can use the LDAP "User registry" in Websphere App Server.

With web apps you control login with security entries in web.xml.
According to the j2ee spec:
http://java.sun.com/webservices/docs/1.3/tutorial/doc/Security4.html

In a servlet, you can do


In JSPs you can do similar, or use appropriate JSTL/struts tags.

There's a WAS overview here
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/welc_security.html

If you can't migrate to LDAP, you can write a Custom User Registry.
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/tsec_tbucs.html
That page has a sample with a file based user reg, but it shows you what interface you need to implement.

In your webpages and servlets, you would still be able to do isUserInRole()..., because this interface goes through the JAAS layer. It's transparent to the programmer.
If you later migrate to LDAP, you don't need to change apps, but rather how users/roles are stored.

A lot of developers (including me!) wrote their own "JAAS layers".
It's meaningless to run an app server and write these layers yourself.

Hope that helps,

Regards,
/Tom
 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi,
i think you should have a look towards jGuard (http://sourceforge.net/projects/jguard).
this secrity framework enables a JAAS(RBAC principle) integration into a j2ee environment.
the upcoming (scheduled to the end of th week) 0.63 release will enable an RBAC management through databases (Oracle, PostgreSQL or mySQL), for the authentication purpose.
the authorisation part through databases will come into the 0.64 release.
authentication and autorisation parts can be configured also through Xml files.

hope this helps,

charles gay(jGuard team).
reply
    Bookmark Topic Watch Topic
  • New Topic