We have a common requirements as any other web application. we are thinking of using Jsp, struts, EJB for this application. We need to hide and show certain menu options depending on the user group, role. At the same time we need to lock certain data, menu options, modules and applications.
Example: - When user is performing some action, then We don't want any user to log into the system. at this time we want to lock whole application. - when user want to run certain process, the we don't want any user to add/update/delete any records. In this case we want to disable/hide all those options for other users.
There are such scenarios where we want to lock certain data, menu options, etc.,
In the current Data model for database, we have tables for menus, user, group roles. I was thinking I would check these tables, get menu options assigned for a role to which user is assigned to. I m not sure how struts would be useful in such scenario. Any sample application would be appreciated. Or any better solution for to achieve this.
In EJB, we use ejb-jar.xml to give security roles and method permissions. How application server will be able to map roles defined in the application tables with that of one's used in ejb-jar.xml.
Oracle 10g uses .xml file or LDAP for mapping. But We have user, group, roles configured in database. I am not sure how to map these with that of one's used in ejb-jar.xml.
I am not sure how this is done in Weblogic.
We are currently using Oracle 10g AS but in future might shift to weblogic. Is there any common framework which would solve my problem.
How situations like this are handled with optimal solution?
Saritha ventrapragada: you are right about the large usage of this architecture. My 2 cents thoughts: there is a big difference between the descriptive security (that defined inside the ejb-jar.xml) and special security as the one you are talking about (which I expect to be at a higher level than the descriptive - method level). You could design your custom security manager that will check the roles against the db and than inside the JSP/Servlet/whatever use this service in order to enable/disable actions. One of the things you must keep in mind (deep) is the security credentials caching (upon their change and also upon db hits).