hi,
I'm fairly new to EJB and java security, and I'm bumping my head
against the wall trying to understand what the right way to do what I
want. My questions are these:
1. Is JAAS the right thing for specifying roles required for executing
an EJB method? if so how do I define for example, that the method
foo() on the bean A requires an admin role?, how is the permission
checked? I was under the impression that the check is done by creating
a new EJBMethodPermission and calling the
SecurityManager.checkPermission with it, but I may be confused.
2. If the standard role based access control is not enough for my use
case and I need to extend it (in the way specified below), how can I
do it in the most standard and least app server dependent way? Can I
extend somehow EJBMethodPermission, and let JAAS use it?
3. One other option I thought about was to write my own interceptor
and disable the rest of the authorization checks, but this is probably
not the right thing, as it may create security violations of other
types.
The role based access control I want to sup****t is this:
users has a default role, and may also have roles on scopes. Scope is
a set of identities of objects. When the user is about to invoke a
method on an EJB, I would like to extract from the method parameters,
the scope, and from that scope I can infer what is the user's role on
that scope, and then compare that role, with the role that is required
for calling the method. If the user is allowed to call the method the
call will proceed, otherwise, some exception will be thrown.
I really need some help in understanding that, because I seem to have
had some mis-concept of what can/should be done with JAAS.
Thanks!
|
