You will either have to employ non-role based security using custom logic or try to provide a custom implementation of the java.security.acl.Group that can make such dynamic associations. This would be associated with an authenticated user via a custom JAAS LoginModule.
I expose a method in my remote interface called
Now the only two roles that can execute this method are admin and isManager.
Observe the person being updated is a parameter being passed into the updatePerson method in the remote interface.
As I understand it, the CustomLoginModule would happen even before the method gets executed. Hence, I've to pass the personID to this module so that I can then establish the relationship to the caller.
Or on the server side can I write a SecurityProxyInterceptor that can add the role "isManager" to the EJBContext?
If the security check depends on the data coming in with the call then you really need to use a custom security interceptor. This can be handled by the current custom security proxy, or via your own custom security interceptor.
In the custom security interceptor that I'll write up, would I have a hook to add to the roles? For eg. since I would dynamically figure out on the nature of the incoming data, if I'm the person's manager or not, I would have to add to the security context the "isManager" role.
How can I do this?
Your hook is the interception of the ejb method call. You can do whatever you want to determine who the caller is. You cannot change the roles assigned to the user at authentication time. You permission access based on the derivced manager role and either allow the call or fail it with a SecurityException.
Thanks Scott for the great insight. Do you think this would qualify as an enhancement request to the security interceptor, I hope?
"Add/remove transient roles to the ejb security context using the security interceptor, to leverage the J2EE declarative security model"
It seems that I cannot use the declarative security model because I cannot add to the ejb context using the interceptor.
Today I cannot declaratively configure my security in the ejb-jar.xml for the updatePerson method so that I could have configured that manager, admin can update the person's record.
This is because I'm not able to add to the security context based on the data that the person data being updated is by the manager.