5 Replies Latest reply on Apr 9, 2006 5:44 PM by Scott Stark

    JAAS dynamic role-based security with a custom Policy?

    ikarpov Newbie


      I am working on a set of web applications that use JDO to authenticate the user against an Oracle database. We are thinking of implementing dynamic role-based security, by which I mean the following:

      There are Users, Roles, and Rights. Each user has one or more Roles and each Role has zero or more Rights. Speaking in terms of JAAS, these are Subjects, Principals and Permissions respectively. Rights are static and designed into our application code. Users, Roles, Users->Role and Role->Right mappings are all dynamic, i.e. can be changed while the application is running.

      I would love to see an application server that will let me do both authentication AND authorization for such a system with JAAS. I don't want to extend or import anything specific to the application server in my code. I can easily write a custom LoginModule to authenticate a subject, and I can implement a Policy that checks for the right permissions for our application.

      My question is, can I use a custom java.security.Policy with JBoss? If not, how can I implement such a security model in a portable manner?

      Thank you.