Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

JAAS to implement class level or method level Authorization in a Desktop App

Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Everyone,

I am a student and I am trying to develop a role based Java desktop application for my project using Aspect Oriented Programming (AspectJ). After doing some research, I found that JAAS provides user based authorization. I have gone through some of the online materials and have successfully managed to get authentication bit working. The application so far asks for username and password (using sun's DialogCallbackHandler) and validates it against the username and password stored in a database (had to implement a new login module to add this functionality as this is not provided by sun's existing login modules).

Now JAAS supports Principal based authorization and I am trying to implement class as well as method based authorization. In my application, I will have a class Student which is a GUI form (with various other GUI classes) which retrieves information of students present in the database. Now not every user should be able to view student records i.e. in one way should not be able to create an instance of the class Student. Again if user can view records then he/she may be allowed only to view the records and not update or delete any of them i.e. methods such as update or delete will not be accessible to the user. As for now I am struggling to implement Class based authorization and need some help in this. Once I can get this working then I can focus on Method level authorization.

Could anyone give me some pointers what I need to do in-order to implement class or method level authorization (whichever is easier) or any-resource which might help me in this.

Please remember that this is a desktop application and not web application.

Looking forward to your reply.

Many Thanks for your help.
Posts: 43016
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

I'm not certain that class-based or method-based authorization makes much sense. While there are sure to be some classes/methods that should only be called for users with particular privileges, it's more common that a given class/method handles all users and makes explicit distinctions in the code based on the user Principal.

If nonetheless you want to prevent some methods to be entered at all, then that can probably be accomplished using AspectJ with "before" advice that throws an exception if a non-privileged user is running the app. The Principal would need to be passed to the method in question, though, so that the advice method has access to it.
    Bookmark Topic Watch Topic
  • New Topic