Hi Hasan
I am not sure if this is possible but is there a way that database level authorizations can be exposed to a Java/J2EE application? The particular situation is: I want to expose the existing security roles defined in Oracle to the J2EE application (WAS) such that we can conduct the authorization for CRUD operations on the database tables in the application (I realize that these would duplicated in the database).
Nice question though and I just feel like I should say something about it although I�m not WAS expert :-) On the other hand I worked for quite a few security projects involving JASS & weblogic and I believe that the answer to your question is probably no. Usually the container allows you to pug in different authentication and/or authorization strategies, based on user/groups/roles policies. Also the containers have several such default strategies, which are very convenient. For example weblogic (7.0 and higher) allows configuring LDAP authentication providers. I�d like you to bear with me for a moment and look at how this could be done, in order to understand the complexity of the problem:
The sysadmin needs to plug in the security realm. This basically enables weblogic to access the users and groups stored in LDAP (which is external to weblogic). And this should be the easy part :-)Next the sysadmin must find a way to map the security policies defined in deployment descriptors (accordingly to J2EE specifications) to the user/groups/roles maintained in LDAP (and accessed by the container). This is no easy task and mostly requires developing custom components (like RoleMappingProviders). Following your requirements I would say that the first step is mostly not going to be doable: I personally don�t believe that your container will �recognize� the implicit Oracle roles. As for the second one I don�t really imagine doing this without writing specific components. Again only reading the WAS documentation or asking the same question on a specialized WAS forum you can get a clear reply. I�m just answering you first because I feel the complexity of your problem second I really like the subject and third because today I got a more relaxing day in the office and I just feel bored :-)
Bottom line is that this could be done but only writing custom security providers that basically read the roles, users, groups from oracle (or another configuration source) and map them to J2EE security policies. But if you follow this path
you should ask the obvious question "and what for then?"
Regards.
. I will update here if I find it to be a good solution.