-
1. Re: jbpm process security
starksm64 May 20, 2005 10:42 AM (in response to tom.baeyens)Give some specific examples of more complicated authorization rules. Your choices are:
1. If the rules can be decomposed into a user having a set of roles, the existing JAAS mechanism can be used.
2. If the rules require more logic, but can be expressed using custom java.security.Permission objects, you can use the java.security.Policy mechanism to assign permissions to users and test the permissions using the Policy.implies check similar to how JACC works.
3. If the permission rules just don't fit Permissions, we need a new security service that layers on top of the others and employs a rules engine to help with the permissions evaluations. -
2. Re: jbpm process security
tom.baeyens May 22, 2005 2:47 AM (in response to tom.baeyens)you summarized the exact 3 options that i have thought about. but I couldn't see them clearly distinct.
i don't want jBPM to be tied to only *one* of those mechansims.
maybe we can so the following to support all of them:
1) user-roles-JAAS:// somewhere in the jbpm code if (user-roles-jaas-security-is-configured-in-jbpm) { // how to check if the current user is in role r ? Subject.getSubject(...) --> org.jboss...RolesPrincipal or something like that or should that be done via the SecurityAssociation somehow ? }
2) permission security// somewhere in the jbpm code if (permission-security-is-configured-in-jbpm) { AccessController.checkPermission( new ViewTaskPermission(...) ); }
3) if users want to do things not in line with the previous 2 approaches, they are on their own...
regards, tom. -
3. Re: jbpm process security
starksm64 May 23, 2005 9:02 AM (in response to tom.baeyens)What is needed is an equivalent of the ejb/web container interceptor that can be configurated as part of the workflow so that the security implementation is a pluggable aspect of the workflow. Ultimately the jbpm layer should be able to take advantage of the security aspects from the unified jboss5 implementation.