• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JAAS and rdbms driven policy

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello
I am using JAAS in my web application. I have managed the authentication part well. For authorisation, I have used the policy files on the file system. However, the requirement is that the policy be database driven. The policies decide which usergroup has what permission. Are there any examples to implement the same?
Thanks
Chaitanya
 
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Chaitanya,
I take it you decided the form-based login approach is insufficient for your needs. I came to the same conclusion and used JAAS for authentication too. Once you perform your own authentication, you disable the web containers ability to perform declarative access control, and must do everything yourself (unless you programmatically create the same login token used by said conatiner and stuff it into a cookie/url rewrite).
I know in WebSphere that once you try to intoduce a RDBMS-based persmission scheme, you are on your own. I assume other containers are similar.
Given this, my plan is to have a base action class (I'm using struts, use a front-controller or filter otherwise) that will enforce that each request contains an authenticated user (if the resource is protected), and verify their role is allowed to access it (via DB lookup, etc). The problem I have is how to define which resources are protected. Perhaps I will use an XML file with a format similar to web.xml; or perhaps each action should be stored in the DB and a join between the user/role/action tables would determine access.
What do you think? Let's brainstorm together...
--Dave.
 
Dave Teare
Ranch Hand
Posts: 80
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Sorry - I said base action class when I meant to say base action servlet. This servlet is registered in web.xml and delegates to the standard struts impl once access control is enforced.
 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi, i think you should look towards jGuard to fulfills your needs:
http://sourceforge.net/projects/jguard

sincerly yours,

charles(jGuard team).
 
That is a really big piece of pie for such a tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic