1 Reply Latest reply on Aug 8, 2005 12:39 AM by Ashwin Kumar Karkala

    Implementation of mandate-type access

    Artem Golubev Newbie

      I have to implement mandate-type access to EJB beans
      it means, that:
      1. Any user have
      a) username;
      b) password;
      c) mandate access level (simply, "mandate") for example it can be a integer number in range [0; 4].
      2. Any user can login with its username, password and current_mandate that can be (it must be checked) <= his mandate.
      3. Any mehod of EJB bean will be divide to 2 types:
      a) "read" methods;
      b) "write" methods.
      4. Each EJB bean will have mandate level (mandate);
      5. When user U calls method M in bean B we must
      chack, that
      if (M is "read" method) then
      U.mandate <= B.mandate
      if (M is "write" method) then
      U.mandate >= B.mandate
      6. JMS must be changed to embed mandate level into message envelope.
      7. Our DB already have such system:
      Any table already have special field "mandate_level".
      Any user can indicate any current_mandate <= his mandate
      so this user can read rows with mandate <= current_mandate
      but can write rows indicating mandate = his mandate (not current).
      So Entity beans must write rows with mandate_level field =
      current_mandate!

      The question is:
      What is the best way to do this?

      Have I rewrite JaasSecurityMgr class or it will be enough to write some plug-in or somethig else?

        • 1. Re: Implementation of mandate-type access
          Ashwin Kumar Karkala Newbie

          Seems like you have to define a custom implementation of the RealmMapping interface. The interface defines a method


          /** Validates the application domain roles to which the operational
          environment Principal belongs.
          @param principal the caller principal as known in the operation environment.
          @param roles The Set<Principal> for the application domain roles that the
          principal is to be validated against.
          @return true if the principal has at least one of the roles in the roles set,
          false otherwise.
          */
          public boolean doesUserHaveRole(Principal principal, Set roles);


          Your implementation can return true/false based on the mandate level. You might also need to define a custom login module (only your requirements will define this need) that gets the mandate value into the subject.

          On complete details on how to implement a custom security manager and custom login modules (for the JAAS security manager) please read

          http://docs.jboss.org/jbossas/admindevel326/html/ch8.chapter.html