0 Replies Latest reply on Feb 17, 2003 8:20 AM by Christoph Schoenfeld

    Custom Policy vs. J2EE Security

    Christoph Schoenfeld Newbie

      I have already posted this in the JDC Security Manager forum but not got any replies. Perhaps you know an answer here.

      ---------------------------
      Custom Policy vs. J2EE Security
      Author: cschll Feb 14, 2003 2:52 AM

      Hi there, Java Security architecture gurus,

      I am currently trying to find the best architecture for the new security framework for our company's application. The system requires instance based security. ACLs are stored in a database. JAAS's authentication is just fine, but its file based authorization is not sufficient for our needs. Access rights change during runtime and they should not be refreshed that inefficient way with Policy.refresh().

      The solution I would like to establish should cope with changing environments without the need to change the code that is using security checks. E.g. the app should be able to run as a stand-alone application or within J2EE application servers or servlet engines.

      I have looked at the Java 2 Security API and found out that implementing a customized version of the JAAS Policy class can be one approach. A good benefit is the tight integration with the Java Security framework and that it not necessary to reimplement things like the AccessController and privileged actions.

      Now, I have the following questions:
      - Is the custom Policy a common solution when the application is deployed on a J2EE appserver?
      - Is it possible to delegate permission checking of the system permissions (FilePermission, PropertyPermission, etc.) to the original Policy implementation? I would not really want to have to include all of these in the database table.

      The alternative approach would probably be J2EE security with the cost of restricting the app to the J2EE environment. To me it seems to be impossible to implement instance based security with role based descriptive J2EE security. With programatic EJB security, I would need to make isPrincipalInRole() completely dynamic to support it.

      I looked through the forum for quite a while without success but if you already discussed this topic I would really appreciate a pointer.

      Thanks,
      Christoph