Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Use JAAS for access control.

 
Matt Brown
Ranch Hand
Posts: 70
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a requirement for a web application that a user can have multiple roles and a role
defines the functional access and data access. For example, an Accounting role can access accounting functions and data while an Engineering role can
access engineering functions and data. An engineer user is only associated
with engineering role and an accountant user is only associated with Accounting
role. A VP user is associated with both Accounting and Engineering roles.

How should I use JAAS to meet the requirement? Does JAAS control access at
class and jar files level?
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
JAAS can be used for this, but it is involved to set up and use. Have you determined that web app security as used by the Servlet API (which also supports multiple roles per user) does not fit the requirements?
 
Rahul Bhattacharjee
Ranch Hand
Posts: 2308
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think J2EE web security infrastructure is sufficient for this.
I have used JAAS quite effectively for authentication , but faced a lot of trouble (terms of complexity) for authorization.

I have a short note on JAAS.You might want to have a look.
 
Matt Brown
Ranch Hand
Posts: 70
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Rahul Bhattacharjee:
I think J2EE web security infrastructure is sufficient for this.
I have used JAAS quite effectively for authentication , but faced a lot of trouble (terms of complexity) for authorization.

I have a short note on JAAS.You might want to have a look.


We are not using the authentication part of JAAS b/c the users are using digital certs (not the user id/password)to authenticate with a hardware device (e.g., SSL accelerator). We are trying to use the authorization part of it.

I forgot to tell another requirement: all the roles and users must be created and managed
with a UI to allow non-technical administrator to work on it. How does the policy files of JASS fit here.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic