Wow - crack your knuckles - this is a big question.
I'm developing a large scale
J2EE web based application contained completely inside of
JBoss 3.2.x. My application consists of the following layers:
1) EJB 2.0 Entity (all CMP for now, may require BMP later, but unrelated...)
2) EJB 2.0 Stateless Session Facade using serializable client "beans" as input/output
3) "Client side" (
servlet container) Service Locator / Client Facade dealing with client bean manipulation and service lookup
4) Servlet based web app controller
5)
JSP / tagslibs
(4 and 5 - MVC - possibly
struts)
All activity in this app travels up and back through those layers. That's not the problem, everything is beauuuutiful.
I'm at the point now where I'm defining security. There are several points of security to define.
1) Entity bean protection - these beans should only be accessible by other EJBs. These beans have only the Local interfaces created, and no remote interfaces. Is this secure enough, or should method level, role based JAAS come into play here to authorize only the beans I specify to make method calls or lookup homes.
2) Business "dynamic" Security - single actions such as create user, add user to group, etc... I need dynamic database security here in that users can only add other users to groups they are members of, etc. Should that be defined in the session bean layer (some type of auth would have to be passed in, or accesible), or assume that it was handled by the calling "layer" (the ServiceLocator / Client Facade). It would require some type of synch with the web session to confirm the user, so it would have to be done in the servlet engine, or something passed in about the caller. Don't tell me to use Stateful Beans, they are the devil, and are not meant for this purpose.
Ideally this would occur using JAAS and having the roles for the principal loaded from the DB - see #4
3) The exposed Remote Stateless Session Beans need security (unless above security was chosen to be passed in). This could be JAAS role based security in which the web app authenticates through JBOSS JAAS support and internally manages those permissions, or as mentioned above, some user object passed in whose password (plain text or encypted?!?!) is confirmed...
4) Retrieving and validating user PW. I'm set on storing this in the DB digested using MD5 or similar algorithm. No problem there, but at what layer is the "digesting" appropriate? One side of me says do it ASAP to avoid having clear text passing around, but another side tells me to put it farther down, possibly in the SS EJB to make calls to it more simple. If the MD5 were done at the servlet level, it would have to call all the way down to get the real PW, come back, then compare digests, then continue. Comparing at a later time could prove more efficient, and participate in any transactions nicer... Encororating JAAS and having the "roles" for the principal loaded from the ejs would be an ideal solution (for use in the dynamic business rules.. see #2 , but is this proper usage?
How would I implement such a strategy?
I realize that a lot of this is totally opinion based, has many different answers, and is a VERY advanced topic. I'm just curious if anyone else has experienced similar design issues and how they were overcome. I can't be the only person doing this...
As always, thanks in advance!
Locuester
dana@deepsnow.com [ February 28, 2003: Message edited by: Dana Hanna ]