- Posted by: shanmugasundaram chidambaranathan
- Posted on: September 21 2003 07:07 EDT
My project demands the security for the users, which can be changed online by the administrator. The project architecture is using MVC, Struts with Session Facade and DAOs. The level of security I have identified are
i) In actionclass, validation happens for the user access for that particular screen. The screen and role information are stored in the database.
ii) If the hacker/user connects to the bean directly using java client etc without connecting thru the web application, there will be a validation happening at the EJB to verify whether the user is eligible to use the EJB's method. The mapping information of the Bean's method to the role and screen id are stored in the table.
Let me know whether (ii) validation can be achieved thru someother means or thru acl. I think acl will not be of support if the access control can be changed online.
Thanks in advance
What kind of security is supported depends a great deal on which server you are using. Different J2EE servers have different mechanism for storing user-role information. There can be problems propogating user credentials from the web layer to the EJB layer.
In theory, though, everything you want to do is achievable through the standard J2EE security model. It all depends on whether your server supports storing security information in the database or not. If not, you may have to customize the security modules for your server. Most allow this.
Ofcourse customizing user-role mapping is the first choice.
But if your application server doesn't let you customize user-role mapping,you can go for AOP (Aspect oriented programming).
Using AOP you can store/fetch user-role mapping in any db and you can make explicit calls to check access rights of the user.
For more information about AOP you can visit http://www.eclipse.org/aspectj/
Hope this helps.
Thanks for your feedback.
I will go thru the AOP and understand it more.
Currently we have planned to use Form based authentication, with the propagation of security information from web to apps tier, we will validate the user access based on his role in the ejb.