1 Reply Latest reply on Dec 7, 2002 9:07 PM by Erik Sliman

    Rule-Based doesUserHaveRole Checking

    R.W. Shore Newbie

      I'd like to be able to create an environment in which the doesUserHaveRole checking uses rules rather than an enumerated list of string equivalents (I can discuss the reason in more detail if anybody's interested). I propose to implement this feature as follows:

      1. Create an extension of SimplePrincipal called (say) RoleCheckPrincipal.

      2. Modify SimpleGroup.isMember() as follows:
      a. If the parameter "member" is an instanceof SimplePrincipal, replace it with an instance of RoleCheckPrincipal that has the same name.
      b. Rather than use members.containsKey(), explicitly iterate through the key set and call key.equals(member) - that is, ensure that the equals() method of the key that's in the members map gets called, rather than the equals() method of the member parameter.

      This allows me to implement a rule-based role check as follows:

      1. The appropriate LoginModule builds a special Principal object with an equals() method that implements the rule check.

      2. If the parameter to this Principal's equals() method is an instance of RoleCheckPrincipal, then the Principal performs the rule-based check; otherwise it does something sensible, like returning an equals() comparison on its own name.

      The point of this is to allow the equals() method in the special principal to "know" whether the method is being called in the context of an isMember() check or some other context. In turn, this allows the special principal to decide whether or not to trigger its rule-based processing on the incoming parameter.

      Note that since the RoleCheckPrincipal is an extension of SimplePrincipal, all existing code that depends on seeing a SimplePrincipal in the equals() method will work unchanged.

      1. Given that I want to support a rule-based doesUserHaveRole check with a minimum of changes to existing JBoss coding, does this approach make sense? Does somebody have an alternate approach to achieve the same end?

      2. If this seems like a reasonable thing to do, shall I post the modified code here for inclusion into the JBoss code base?

        • 1. Re: Rule-Based doesUserHaveRole Checking
          Erik Sliman Apprentice

          DYNAMIC ROLES

          I developed an security application (JAR and WAR) that provides an interface for users and applications. It allows you to dynamically create all the security information via a web browser, including roles, users, modules, user-roles, role-modules (CRUD), etc,...

          The result is that the application never inquires on a user role, since roles are dynamic. What is defined at development time are modules. If you have a customer screen, you can create a customer module.

          The effect is this:

          1> User signs on, and is assigned a session key.
          2> The customer modules inquires on the CRUD access the session has to that module.

          So you never actually inquire on a user's role. What you are really determining is the access a session has to the functionality of your application, represented as modules. The advantage is that roles can be dynamically created in production, and assigned to users. You can give users called Security Administrators (SA) the ability to maintain users, roles, and their intersection.

          If your requirements call for "static" roles, you just create them yourself, and don't give access to end-users. In effect, you are the SA.