J2EE and Database authorization
Nauman Hasan
Ranch Hand
Posts: 34
posted 12 years ago
Hi all,
I am not sure if this is possible but is there a way that database level authorizations can be exposed to a Java/J2EE application? The particular situation is: I want to expose the existing security roles defined in Oracle to the J2EE application (WAS) such that we can conduct the authorization for CRUD operations on the database tables in the application (I realize that these would duplicated in the database).
Could this be done through extending JAAS? I would think that it would make a difference if we were to have a generic username for db connections vs a username/password for each role)
Thanks you for your help.
Nauman
I am not sure if this is possible but is there a way that database level authorizations can be exposed to a Java/J2EE application? The particular situation is: I want to expose the existing security roles defined in Oracle to the J2EE application (WAS) such that we can conduct the authorization for CRUD operations on the database tables in the application (I realize that these would duplicated in the database).
Could this be done through extending JAAS? I would think that it would make a difference if we were to have a generic username for db connections vs a username/password for each role)
Thanks you for your help.
Nauman
Valentin Tanase
Ranch Hand
Posts: 704
posted 12 years ago
Hi Hasan
Nice question though and I just feel like I should say something about it although I�m not WAS expert :-) On the other hand I worked for quite a few security projects involving JASS & weblogic and I believe that the answer to your question is probably no. Usually the container allows you to pug in different authentication and/or authorization strategies, based on user/groups/roles policies. Also the containers have several such default strategies, which are very convenient. For example weblogic (7.0 and higher) allows configuring LDAP authentication providers. I�d like you to bear with me for a moment and look at how this could be done, in order to understand the complexity of the problem:
The sysadmin needs to plug in the security realm. This basically enables weblogic to access the users and groups stored in LDAP (which is external to weblogic). And this should be the easy part :-) Next the sysadmin must find a way to map the security policies defined in deployment descriptors (accordingly to J2EE specifications) to the user/groups/roles maintained in LDAP (and accessed by the container). This is no easy task and mostly requires developing custom components (like RoleMappingProviders).
Following your requirements I would say that the first step is mostly not going to be doable: I personally don�t believe that your container will �recognize� the implicit Oracle roles. As for the second one I don�t really imagine doing this without writing specific components. Again only reading the WAS documentation or asking the same question on a specialized WAS forum you can get a clear reply. I�m just answering you first because I feel the complexity of your problem second I really like the subject and third because today I got a more relaxing day in the office and I just feel bored :-)
Bottom line is that this could be done but only writing custom security providers that basically read the roles, users, groups from oracle (or another configuration source) and map them to J2EE security policies. But if you follow this path you should ask the obvious question "and what for then?"
Regards.
I am not sure if this is possible but is there a way that database level authorizations can be exposed to a Java/J2EE application? The particular situation is: I want to expose the existing security roles defined in Oracle to the J2EE application (WAS) such that we can conduct the authorization for CRUD operations on the database tables in the application (I realize that these would duplicated in the database).
Nice question though and I just feel like I should say something about it although I�m not WAS expert :-) On the other hand I worked for quite a few security projects involving JASS & weblogic and I believe that the answer to your question is probably no. Usually the container allows you to pug in different authentication and/or authorization strategies, based on user/groups/roles policies. Also the containers have several such default strategies, which are very convenient. For example weblogic (7.0 and higher) allows configuring LDAP authentication providers. I�d like you to bear with me for a moment and look at how this could be done, in order to understand the complexity of the problem:
Following your requirements I would say that the first step is mostly not going to be doable: I personally don�t believe that your container will �recognize� the implicit Oracle roles. As for the second one I don�t really imagine doing this without writing specific components. Again only reading the WAS documentation or asking the same question on a specialized WAS forum you can get a clear reply. I�m just answering you first because I feel the complexity of your problem second I really like the subject and third because today I got a more relaxing day in the office and I just feel bored :-)
Bottom line is that this could be done but only writing custom security providers that basically read the roles, users, groups from oracle (or another configuration source) and map them to J2EE security policies. But if you follow this path you should ask the obvious question "and what for then?"
Regards.
I think, therefore I exist -- Rene Descartes
Nauman Hasan
Ranch Hand
Posts: 34
posted 12 years ago
Thanks Valentin. I appreciate your comments they have clarified things quite a bit for me.
This one is going back to the drawing board... I liked the idea about the complexity of the problem though and went looking for a product that addressed the requirements... I found jGaurd however it is not clear to me (yet) what jGaurd actually does
. I will update here if I find it to be a good solution.
Thanks again,
Nauman
This one is going back to the drawing board... I liked the idea about the complexity of the problem though and went looking for a product that addressed the requirements... I found jGaurd however it is not clear to me (yet) what jGaurd actually does
. I will update here if I find it to be a good solution.Thanks again,
Nauman
