-
1. Re: How to handle dynamic authorization?
starksm64 Mar 19, 2004 4:32 AM (in response to pearl81)You will either have to employ non-role based security using custom logic or try to provide a custom implementation of the java.security.acl.Group that can make such dynamic associations. This would be associated with an authenticated user via a custom JAAS LoginModule.
-
2. Re: How to handle dynamic authorization?
pearl81 Mar 19, 2004 2:34 PM (in response to pearl81)I expose a method in my remote interface called
updatePerson(int personID)
Now the only two roles that can execute this method are admin and isManager.
Observe the person being updated is a parameter being passed into the updatePerson method in the remote interface.
As I understand it, the CustomLoginModule would happen even before the method gets executed. Hence, I've to pass the personID to this module so that I can then establish the relationship to the caller.
Or on the server side can I write a SecurityProxyInterceptor that can add the role "isManager" to the EJBContext?
Thanks! -
3. Re: How to handle dynamic authorization?
starksm64 Mar 19, 2004 3:09 PM (in response to pearl81)If the security check depends on the data coming in with the call then you really need to use a custom security interceptor. This can be handled by the current custom security proxy, or via your own custom security interceptor.
-
4. Re: How to handle dynamic authorization?
pearl81 Mar 19, 2004 5:50 PM (in response to pearl81)In the custom security interceptor that I'll write up, would I have a hook to add to the roles? For eg. since I would dynamically figure out on the nature of the incoming data, if I'm the person's manager or not, I would have to add to the security context the "isManager" role.
How can I do this? -
5. Re: How to handle dynamic authorization?
starksm64 Mar 19, 2004 7:33 PM (in response to pearl81)Your hook is the interception of the ejb method call. You can do whatever you want to determine who the caller is. You cannot change the roles assigned to the user at authentication time. You permission access based on the derivced manager role and either allow the call or fail it with a SecurityException.
-
6. Re: How to handle dynamic authorization?
pearl81 Mar 22, 2004 1:06 PM (in response to pearl81)Thanks Scott for the great insight. Do you think this would qualify as an enhancement request to the security interceptor, I hope?
"Add/remove transient roles to the ejb security context using the security interceptor, to leverage the J2EE declarative security model"
It seems that I cannot use the declarative security model because I cannot add to the ejb context using the interceptor.
Today I cannot declaratively configure my security in the ejb-jar.xml for the updatePerson method so that I could have configured that manager, admin can update the person's record.
This is because I'm not able to add to the security context based on the data that the person data being updated is by the manager.
Your thoughts?