5 Replies Latest reply on Aug 3, 2004 11:27 AM by starksm64

custom security

sblanc Jul 30, 2004 7:02 PM

Hello,

I'd like to implement the following with JBOSS:

1. Principals and Roles dynamic mapping (i.e. an administrator can add/remove users and so on)
2. Method and Roles dynamic mapping (i.e. an administrator can modify on the fly the roles assigned to the ever growing methods)
3. dynamic access control per ownership at the bean instance level: specific instances are owned per specific users. a concrete example: a telecom equipment is sold to n sub-parties, the sub-party x can only view and manage the sub-lines (the DB rows) that it owns. the equipment top owner can allocate during the time the unused rows to a new sub-party.

- for 1, I plan on keep on using JAAS and DatabaseLoginModule or a custom LoginModule.

- for 2, it looks to me I have to overload the bean Container.getMethodPermissions method to lookup my
RoleMethod DB. or would this be better in a custom proxy at invokeHome time ?

- for 3, I'm gonna implement something like the following in a custom security proxy, invoke method:

if (! obj.invoke(ownsInstanceprincipal)) throw SecurityException();

ownsInstance beeing a boolean derived from a dynamic ejb-finder of the bean object with principal as argument.

and in each bean with getter methods (or maybe an interceptor)

getXXX()
{
set = ... /* legacy code to retrieve */
return filterEntities(set, principal)
}

the above is a very rough idea of what I'd do to quick-and-dirty prototype the item (3).
I'd be interested in getting inputs of similar need and what solution/pattern were used ? Any advice welcomed,

Thanks.

Sebastien.

1. Re: custom security

starksm64 Aug 2, 2004 12:19 AM (in response to sblanc)

1) Should be doable via a custom Group added by your login module that responds to role changes while its cached.

2) Should be done by creating a patch that exposes the container method permissions via jmx. It could also be done by modifying the existing org.jboss.ejb.plugins.SecurityInterceptor.
Actions
2. Re: custom security

sblanc Aug 2, 2004 4:01 PM (in response to sblanc)

Thanks for the answers Scott. about (3) I see that instance-based security has been rolled out of J2EE 1.4 specification but is beeing looked at for EJB3. does JBOSS have any plan for such support and do you know of any white paper I may look out ? I'm sligthly wondering about implementing some code that will get J2EE-obsolete in few years.
Sebastien.
Actions
3. Re: custom security

starksm64 Aug 3, 2004 2:31 AM (in response to sblanc)

What instance based security are you referring to? Interceptors are the basis for adding arbitary security checks and these may be standardized for ejb3.
Actions
4. Re: custom security

sblanc Aug 3, 2004 10:45 AM (in response to sblanc)

Hello Scott,
I agree this can be done today but looks to me this is going to be part of the J2EE framework in the future. I'm referring to J2EE 3.7.2 "Instance-based Access Control" in the following document:
java.sun.com/j2ee/j2ee-1_4-pfd2-spec.pdf
Sebastien.
Actions
5. Re: custom security

starksm64 Aug 3, 2004 11:27 AM (in response to sblanc)

Designing today for this empty statement is pointless:

J2EE.3.7.2 Instance-based Access Control
Some applications need to control access to their data based on the content of the
data, rather than simply the type of the data. We refer to this as “instance-based”
rather than “class-based” access control. We hope to address this in a future release.
Actions

Go to original post