I am developing a medium sized J2EE application with EJBs. There are 10 different Entity Beans. Every user (>1000 users) has explicit rights for every single object (>10000 objects). Objects are represented by Entity Beans. Every user can have many different rights for a single object. So this means there are al lot of rights and a lot of checks with every request.
Okay, I know its a little bit hard to understand so think like an operating system is handling different resources for all of its users. There are files which can be listed by all users, read by many users and modified only by few users.
I don't know how to implement such a fine grained right systems with J2EE architecture. At the moment we are mapping all the rights to DB tables and checking every request with a big SQl statement. But this solution is not good in J2EE environment.
Anybody has an idea how to solve this problem??? Every reply/URLs/idea will be welcomed.
I am in a similar situation. I wanted to implement a Access Control infrastructure as an ejb. Since I am using JBOSS and JBOSS supports JAAS, I tried to use it. However, I did not have much luck.
I had to figure out evry access rights my j2ee container (in this case JBOSS) needed and then tweak the java2 and JAAS policies accordingly. This turned out to be very difficult and tedious. Eventually, I gave up and decided to roll out my own Access Control infrastruture using a database. I don't see anything wrong with doing this under j2ee.
Yes, we arrived at a similar solution, with a table determinining what users have what roles within the system. Objects carry the data about which roles have what rights within them. We couldn't see any other way around it.
I would have considered the possibility of doing both.
That is, use JAAS for authentication and high-level role-based access control. Use the DatabaseServerLoginModule so you can implement your users and roles in the database.
However, along with the role information, include more detailed information about access rights in the "User" entity.
This way, in your actual pages or servlets, you can concentrate on the detailed access rights, and don't have to concern yourself with authentication and high-level role-based access control.
We are doing exactly the same. I wrote a specialized LdapLoginModule for JBoss to authenticate the users via an LDAP-Server. After authenticating a User-object is deserialized from the LDAP that contains all application specific authorizations. So I can keep the application roles quite coarse grained.
Thanx a lot for all your comments. I will have a look at JAAS.
Have you looked at OSAccess and OSUser2?