Does JAAS provide a solution to instance based authorization? For instance if you have a scenario where where one type of user is able to create orders and another user is able to only view orders, I think JAAS handles this sort of paradigm. But what if I want to restrict whether a specific instance of a user can view a specific order? Can JAAS handle this? Thanks in advance.
Sun Certified Java Developer <br />Sun Web Component Java Developer<br />Sun Certified Java Programmer
Originally posted by chris kelly: Does JAAS provide a solution to instance based authorization? For instance if you have a scenario where where one type of user is able to create orders and another user is able to only view orders, I think JAAS handles this sort of paradigm. But what if I want to restrict whether a specific instance of a user can view a specific order? Can JAAS handle this? Thanks in advance.
Chris- You've asked a couple of really good questions!! I'll try to answer this question and yours from the previous thread all at once (since they both deal with JAAS): JAAS is somewhat orthagonal to both of your questions... JAAS can be used to help provide single sign on (it can't do it alone) and can help provide the type of authorization that you mention in the quote above. The way I like to think of it is this: JAAS is to security authentication and authorization as JDBC is to databases. JAAS is really only a set of interfaces and some basic guidelines and helper classes. The power in JAAS comes with its underlying LoginModules, Principals and Credentials which (except for the ones provides by Sun with the JDK) are generally expected to be provided by 3rd party vendors. These classes (the third party ones) are the ones that actually do the work of authentication and authorization. So, let me ask a rhetorical question... Can JDBC provide pessimistic row locking on a given table? The answer is "kind of..." It'll allow you to do it, but only if the underlying DBMS will allow it or supports it. It's the same answer to both of your questions. Single sign on can be used with JAAS if you have the pluggable components to support it. Same with fine grained authorization - if you've got the right info in your principal and credential objects, you can do the authorization. In fact, in our book, there's an example of a JAAS LoginModule that uses a RDBMS for authentication, then implements custom Principal and Credential objects that allow for some pretty fine-grained authorization... I don't blame you if you're confused by now... Just about every security sales rep I meet throws around the term JAAS with impunity (and usually out of context). It's a great buzzword to use, but unfortunately it's being used out of context enough that it can give people an impression that is is something that it isn't... If you don't want to blow the coin on our book and help me feed my 2 year old son (is the guilt working? ), the 1.4 JDK docs have some pretty good JAAS documentation and tutorials that should give you a good sense of what's possible and what's not. Hope this helps. I think, if there isn't one already, someone could write a whole book on using JAAS and there would still be plenty to say. Let me know if I can provide more clarification.
Brian Buege<br />Author of <a href="http://www.amazon.com/exec/obidos/ASIN/0072225653/brivacom-20" target="_blank" rel="nofollow">Hacking Exposed J2EE & Java: Developing Secure Web Applications with Java Technology</a><br />Visit the <a href="http://www.hackingexposedjava.com" target="_blank" rel="nofollow">Companion Website</a>