an authenticated subject identity doesn't help in access control decisions if the principal on whose behalf the subject is executing is a stranger. Most authorization systems today are identity based, requiring principals to be known to the system (often through administrative actions such as account creation or certificate generation) before their requests for protected resources can be authorized. Consequently, in large or distributed systems, administrative scalability is a serious problem.
I'm studying "attribute-based access control" (ABAC), an approach to authorization that addresses this problem of administrative scalability. Instead of using subject identity, ABAC authorization decisions are based on principal attributes that are housed in portable, verifiable attribute credentials. Attribute credentials contain potentially sensitive data (e.g., credit limit, security clearance level), and must be protected. Now I try to develop a prototype according to the following scenario: I want to invoke an EJB and the authorization decision is based whether the user has the required attribute credentials or not.
Concerning the design I'm not sure if it's correct:
-> First I want to use JAAS to authenticate the User and fill the Subject with the credentials sent by the User. Therefore I need to write my own Login Module.
-> Once the Subject is filled with User credentials a decision can be made if the credentails of the user are sufficient to access the EJB. The EJB itself has also Credentials stored in a db. I'm not sure how to realize this scenario and what interface I have to use. Can I use JACC or should I better use the JBOSS SecurityProxy Interface? All I need for my access decision is the user credentials (stored in a Subject) and the EJB credentials (stored in a db, to access them I need an Identifier of the invoked EJB).
Could you give me any advice?