General J2EE: Security Roles and Dynamic Permissions?

  1. Security Roles and Dynamic Permissions? (1 messages)

    Hi All,

    My application has announcement functionality that allows certain users to publish announcements on the website. I plan on using the J2EE security roles to define the roles that are allowed to execute these methods - like postAnnouncement().

    This is great and with EJBs I can do this all without any extra programming. But is there a good way to leverage the security model so that I can specify (in an xml file?) what roles can send what types of announcements?

    For example, I may have a 'SALES ANNOUNEMENTS' security role that I define as having permissions to send announcements only to sales people. I could hardcode my postAnnouncement() method to say:

    if role == 'SALES ANNOUNCEMENTS' then send to 'SALES GROUP'.

    Of course I want this to be a dynamic rules based system so I will have to create a db table to map this role to the groups its allowed to send to.

    Is there a slick way to use the J2EE security model to handle this instead? Beyond specifying what roles can call what methods, is there a pattern that goes further to define what data/constants can be used within that method?

  2. I have tried to use JAAS for this kind fine grained access control, but did not have much luck. Instead I have built my own Access Control infrastructure by storing authorization data in the database and using some of the low level classes in the java security package like Permission, Acl, AclEntry etc.