I'm looking for EJB instance-based (primary key - based) authorization design patterns or products.
I've found only note in the J2EE specification that such authorization will in future releases.
Could anybody help me?
-
Instance-based authorization for entity ejb (1 messages)
- Posted by: Marat Dibirov
- Posted on: April 10 2002 07:35 EDT
Threaded Messages (1)
- Instance-based authorization for entity ejb by Ken Norcross on April 26 2002 12:47 EDT
-
Instance-based authorization for entity ejb[ Go to top ]
- Posted by: Ken Norcross
- Posted on: April 26 2002 12:47 EDT
- in response to Marat Dibirov
Here's an article that describes how it could be done by extending JAAS.
"Extend JAAS for class instance-level authorization"
http://www-106.ibm.com/developerworks/library/j-jaas/index.html
The fact that it is based on JAAS may or may not fit your situation.
We have also developed something similar (non-JAAS), that enforces different rules/constraints based on the users security role.
The general pattern I see here is that your code must explicitly check for authorization, by delegating to something like an "AuthorizationManager", passing in something like:
- desired "function" (ie. update, withdraw, etc)
- target instance (ie. an account)
Our implementation extends this by discovering the clients security role, and enforcing different rules based on that role.
The rules themselves generally have to check various business relationships in order to make the decision (ie. is the caller the owner of the target account).
No App Server will ever be able to do this for you, because these kinds of constraints are generally business rule based (ie. is the caller the "owner" of the account?, or if the caller is in the "superUser" security role allow any, etc.)
Hope this helps.