Pattern for programmatic security with JAAS


EJB design: Pattern for programmatic security with JAAS

  1. Pattern for programmatic security with JAAS (2 messages)

    I am implementing a project using the JAAS framework for securing my CMP EJB layer. However, in many cases, declaritive security is not enough, and I need to hand-code security because the authentication depends on method parameters as well as the method.

    Consider this example, I have a method:

    aStudentSessionBean.setGrade(String subject, int grade);

    The permission rule is:
    (users with role "teacher" AND who teach subject "X")
    (users with role "headteacher")
    can modify students grades for the subject "X".

    This obviously cannot be done in the deployment descriptor alone; but I CAN enforce that only users with role "teacher" or "headteacher" executes this method.

    The following requirements for a pattern seem sensible to me:

    1. Security code is kept as separate as possible from business logic, as the JAAS framework was designed to do.

    2. It would be nice to have some sort of centralised system where all the security logic resides.

    3. Security code is easily maintainable and extensible as the system grows.

    I have many session beans which have methods like this, so having an authenticate() method in each bean containing this logic does not fulfil requirement 1 or 2.

    Has anyone had experience of, or read about, a similar problem? Does anyone have any suggestion of a suitable pattern? Does anyone think my requirements for such a pattern are flawed?

    Any feedback will be much appreciated.


  2. I'm going to ask you a question instead of giving you an answer...

    How do you communicate the authenticated user identity to the body of an EJB method using JAAS?

    I've always had the user id as a parameter to every method, which obviously involves trusting the caller.

  3. Tom

    JAAS uses this idea of principal propagation, meaning that once a user has been authenticated, the relevant authorization data is passed into the EJBContext by the container transparently to my EJB code.

    This allows the EJB to use the relevant methods on the EJBContext to authenticate / deny the user; i.e.

    // To find out who the user is
    Principal p= myEJBContext.getUserPrincipal();

    // To find out what the user is allowed to do
    boolean isAllowed= myEJBContext.isCallerInRole("headteacher");

    Here's the javadoc:

    Any additional information, other than the user's roles, which I need to use to authenticate the user (e.g. what subjects a teacher may teach) I currently pass in to the EJB method as a normal parameter.