1 Reply Latest reply on Feb 11, 2004 12:51 AM by juha

    Specifying a custom security manager for a specific applicat

    toaom

      Hello,

      I've been experimenting with JAAS, but I'm constantly bashing my head against the lack of support for dynamic role/user/rights associations.

      The biggest problem is this is that I don't want to hard-code any roles into the system. It must be possible to add a role on the fly and the application should be able to work with it. The other problem I'm having is that role assignment is based on the object that is being accessed. So I want to be able to specify a role for between a subject and a specific instance of a stateful session bean.

      To solve this problem once and for all I've been lookign for all sorts of options, but finally I've narrowed it down to the following three (four):

      1. Create a facade for every stateles and stateful sessionbean and sdecorate the subject with additional principals based on the assigned roles for the action they're trying to do and use doAsPriviledged to actually call the actual bean.

      2. Implement a custom Policy class which will allow for assignment of permessions based on the requested context. (pro: can specify own permissions and policy file/db format. con: can only be overwritten in the security.config file)

      3. Implement a custom securitymanager (pro: can do whatever I want with it. con: must be overwritten using a -D option of the JRE and willl replace the securitymanager in place.)

      4. Build a complete custom security system and ignoring JAAS Authorization alltogether.

      I'm leaning towards option 3, but I'm not sure what kind of implications this will have on the default security options in JBoss. It should also be possible to deploy this application to other servers (at least to oracle 9ias) and I'm not sure of the implications for that one either.

      Any help is greatly appreciated.

      Jesse

        • 1. Re: Specifying a custom security manager for a specific appl

           

          "ToAoM" wrote:

          1. Create a facade for every stateles and stateful sessionbean and sdecorate the subject with additional principals based on the assigned roles for the action they're trying to do and use doAsPriviledged to actually call the actual bean.


          How's this different from JBoss SecurityProxy approach?