Instance-based authorization for entity ejb

Discussions

General J2EE: Instance-based authorization for entity ejb

  1. Instance-based authorization for entity ejb (1 messages)

    I'm looking for EJB instance-based (primary key - based) authorization design patterns or products.
    I've found only note in the J2EE specification that such authorization will in future releases.
    Could anybody help me?
  2. Here's an article that describes how it could be done by extending JAAS.

    "Extend JAAS for class instance-level authorization"

    http://www-106.ibm.com/developerworks/library/j-jaas/index.html

    The fact that it is based on JAAS may or may not fit your situation.

    We have also developed something similar (non-JAAS), that enforces different rules/constraints based on the users security role.

    The general pattern I see here is that your code must explicitly check for authorization, by delegating to something like an "AuthorizationManager", passing in something like:

        - desired "function" (ie. update, withdraw, etc)
        - target instance (ie. an account)

    Our implementation extends this by discovering the clients security role, and enforcing different rules based on that role.

    The rules themselves generally have to check various business relationships in order to make the decision (ie. is the caller the owner of the target account).

    No App Server will ever be able to do this for you, because these kinds of constraints are generally business rule based (ie. is the caller the "owner" of the account?, or if the caller is in the "superUser" security role allow any, etc.)


    Hope this helps.