I'm currently trying to properly build in authentication into application servlet/struts + ejb. There are following issues:
1. entity bean should log the user in DB;
2. some urls are accessed only with authorisation;
3. some are unauthorised;
- in this case one of the field of entity bean should be passed as user id;
4. 'create/update' operation on entity requires the role which depends on the data (user which has roleA can only modify the data which has value A in field 'region', roleB when value B in field 'region' + some more heavy logic).
5. There is no need to implement security on ejb level, except logged user id into DB.
Currently I've done declarative security on servlet/struts.
For the rest I have some doubts/questions:
problem 3. - i would like to use security-domain in ejb + ClientLoginModule for propagation from servlet + audit user field (will be set automagicaly). But how to deal with unauthorised user? One solution is to force him to login in. How to avoid it (and login in programmaticaly for passing other field as user id)?
To have it more complex: some urls are accessed only with authorisation A, soem urls are accessed only wityh authorisation B (other ways of autohrisation - one is DatabaseLoginModule, second requires SOAP meessage to be sent - I can write custom login module). But what I know there is no way to have two realms for one web module - so I have to have two servlets separated. Also the security-domain is 'hardcoded' in ejb. Is there a way to tell ejb - use the same jndi for security as servlet?
problem 4. Now the easiest is to do this in the struts Action. But it is 'antipattern', I prefer to have this checking in the Business Object (pojo). Question: how to check userInRole in pojo object (means how to take users data from JAAS).
For now the only way which I'm able to implement it is:
- pass user's data from servlet to BO inside the DTO object bypassing the JAAS;
- set the user id on entity myself;
Ugly and inefficient.
Thanks for help,