5 Replies Latest reply on Aug 3, 2004 11:27 AM by Scott Stark

    custom security

    sebastien Newbie


      I'd like to implement the following with JBOSS:

      1. Principals and Roles dynamic mapping (i.e. an administrator can add/remove users and so on)
      2. Method and Roles dynamic mapping (i.e. an administrator can modify on the fly the roles assigned to the ever growing methods)
      3. dynamic access control per ownership at the bean instance level: specific instances are owned per specific users. a concrete example: a telecom equipment is sold to n sub-parties, the sub-party x can only view and manage the sub-lines (the DB rows) that it owns. the equipment top owner can allocate during the time the unused rows to a new sub-party.

      - for 1, I plan on keep on using JAAS and DatabaseLoginModule or a custom LoginModule.

      - for 2, it looks to me I have to overload the bean Container.getMethodPermissions method to lookup my
      RoleMethod DB. or would this be better in a custom proxy at invokeHome time ?

      - for 3, I'm gonna implement something like the following in a custom security proxy, invoke method:

      if (! obj.invoke(ownsInstanceprincipal)) throw SecurityException();

      ownsInstance beeing a boolean derived from a dynamic ejb-finder of the bean object with principal as argument.

      and in each bean with getter methods (or maybe an interceptor)

      set = ... /* legacy code to retrieve */
      return filterEntities(set, principal)

      the above is a very rough idea of what I'd do to quick-and-dirty prototype the item (3).
      I'd be interested in getting inputs of similar need and what solution/pattern were used ? Any advice welcomed,



        • 1. Re: custom security
          Scott Stark Master

          1) Should be doable via a custom Group added by your login module that responds to role changes while its cached.

          2) Should be done by creating a patch that exposes the container method permissions via jmx. It could also be done by modifying the existing org.jboss.ejb.plugins.SecurityInterceptor.

          • 2. Re: custom security
            sebastien Newbie

            Thanks for the answers Scott. about (3) I see that instance-based security has been rolled out of J2EE 1.4 specification but is beeing looked at for EJB3. does JBOSS have any plan for such support and do you know of any white paper I may look out ? I'm sligthly wondering about implementing some code that will get J2EE-obsolete in few years.

            • 3. Re: custom security
              Scott Stark Master

              What instance based security are you referring to? Interceptors are the basis for adding arbitary security checks and these may be standardized for ejb3.

              • 4. Re: custom security
                sebastien Newbie

                Hello Scott,
                I agree this can be done today but looks to me this is going to be part of the J2EE framework in the future. I'm referring to J2EE 3.7.2 "Instance-based Access Control" in the following document:

                • 5. Re: custom security
                  Scott Stark Master

                  Designing today for this empty statement is pointless:

                  J2EE.3.7.2 Instance-based Access Control
                  Some applications need to control access to their data based on the content of the
                  data, rather than simply the type of the data. We refer to this as “instance-based”
                  rather than “class-based” access control. We hope to address this in a future release.