6 Replies Latest reply on Mar 22, 2004 1:06 PM by pearl81

    How to handle dynamic authorization?


      I have a requirement wherein I have person 'A' that's trying to update person 'B'. person 'B' can only be updated by an admin, or his manager.

      now person 'A' evaluates to non admin during initial login, but since he is person 'B''s manager he can update person 'B'.

      But I would not know to give person 'A' the isManager role only till such time I evaluate the relationship and authorize person 'A' dynamically.

      How can I achieve this?

        • 1. Re: How to handle dynamic authorization?

          You will either have to employ non-role based security using custom logic or try to provide a custom implementation of the java.security.acl.Group that can make such dynamic associations. This would be associated with an authenticated user via a custom JAAS LoginModule.

          • 2. Re: How to handle dynamic authorization?

            I expose a method in my remote interface called

            updatePerson(int personID)

            Now the only two roles that can execute this method are admin and isManager.

            Observe the person being updated is a parameter being passed into the updatePerson method in the remote interface.

            As I understand it, the CustomLoginModule would happen even before the method gets executed. Hence, I've to pass the personID to this module so that I can then establish the relationship to the caller.

            Or on the server side can I write a SecurityProxyInterceptor that can add the role "isManager" to the EJBContext?


            • 3. Re: How to handle dynamic authorization?

              If the security check depends on the data coming in with the call then you really need to use a custom security interceptor. This can be handled by the current custom security proxy, or via your own custom security interceptor.

              • 4. Re: How to handle dynamic authorization?

                In the custom security interceptor that I'll write up, would I have a hook to add to the roles? For eg. since I would dynamically figure out on the nature of the incoming data, if I'm the person's manager or not, I would have to add to the security context the "isManager" role.

                How can I do this?

                • 5. Re: How to handle dynamic authorization?

                  Your hook is the interception of the ejb method call. You can do whatever you want to determine who the caller is. You cannot change the roles assigned to the user at authentication time. You permission access based on the derivced manager role and either allow the call or fail it with a SecurityException.

                  • 6. Re: How to handle dynamic authorization?

                    Thanks Scott for the great insight. Do you think this would qualify as an enhancement request to the security interceptor, I hope?

                    "Add/remove transient roles to the ejb security context using the security interceptor, to leverage the J2EE declarative security model"

                    It seems that I cannot use the declarative security model because I cannot add to the ejb context using the interceptor.

                    Today I cannot declaratively configure my security in the ejb-jar.xml for the updatePerson method so that I could have configured that manager, admin can update the person's record.

                    This is because I'm not able to add to the security context based on the data that the person data being updated is by the manager.

                    Your thoughts?