1 Reply Latest reply on Jul 16, 2008 3:57 AM by David Causse

    Instance based authorization

    David Causse Newbie

      Hi,

      I'm looking for a solution to do implement security in my java EE 5 application.
      I've read Java EE spec and I can't find any security related annotation/api that is really useful. Who can use @RolesAllowed annotation for serious security management? IMHO it is too much simple... I start to beleive that JAAS is only used for authentification...

      So I looked at non-standrds solutions and found Security Annotation Framework (http://safr.sourceforge.net/).
      I had a look at Seam... Hibernate Filters...
      I've read some discussion here about JBoss ACL...
      Well, the most elegant solution and less-intrusive solution seems to be SAF. But it was designed first for Spring...

      8 years ago we had to develop our security framework, is it the same today?
      I hoped AOP would help cleaning my code from all those verbose security tests...

      For example a simple use case :
      I have a user that can work on different projects, he can create files on project1 and only read files on project2.

      To resume:
      SAF is interesting but is it possible to use it inside JBoss AS?
      Seam is interesting but we don't want the full stack it offers (We have to develop standalone EJB3 client application).
      Hibernate Filters cannot be used in services methods.

      So what do you use to implement the simple use-case described above?

      Thank you,

      David.