Results 1 to 6 of 6

Thread: J2EE Authorization Model

  1. #1
    Join Date
    Apr 2010
    Posts
    90

    J2EE Authorization Model

    Hi,
    I am currently working on a J2EE project and despair a little at the authorization management. In short, I will consider depending on current business object if a particular user has a role, or is in a particular group. I am giving an example so that you members can feel easy to understand :

    Code:
    The Entity class has a property is "string accessRole saved in the required group, for example," Abteilung21. 
    
    public boolean canDoSomething (Entity e) ( 
    Return ((e.getAccessRole ()! = Null) & & (sessionContext.isCallerInRole (e.getAccessRole ()))); 
    )
    The problem is that all the roles you call with isCallerInRole previously in DD or via annotations should be declared (for whatever reason), otherwise it throws the container (Sun Application Server 9.1) is an exception. I have already read when googling though, that it goes well in JBoss, but that is not then in conformity with the specification. Actually, I wanted to reinvent the wheel, so I wanted it questions what best practices are in terms of permissions control.

  2. #2
    Join Date
    Mar 2008
    Posts
    227

    Re: J2EE Authorization Model

    In short, I will consider depending on current business object if a particular user has a role, or is in a particular group.
    Rolen has a J2EE-based security model that is on festivals roles. I.e.: it can indeed ensure that you are 'head "is not whether it own department. Why is easy to answer - because it was so Specified. I have the spec not to hand,
    but according to me there are some Spongy bodies.

  3. #3
    Join Date
    Mar 2008
    Posts
    258

    Re: J2EE Authorization Model

    Actually, I wanted to reinvent the wheel, so I wanted it questions what best practices are "in terms of permissions control.
    If man wants to remain within j2ee spec, you have probably Application managed. Security organize (own service, perhaps packaged as a session bean). Or try to appropriate JAAS to get tuned Context (if a behind the J2EE Security - stands at JBoss, it is true) and there Rolen affiliation. If you do not want to do J2EE and can move to DI the case is simple.

  4. #4
    Join Date
    Apr 2010
    Posts
    90

    Re: J2EE Authorization Model

    Thanks for the super quick responses. How do I arrive at the current JAAS Context? (I know, STFW, but I think only 1000 grad instructions as I write a specific login modules, not as the "programmatic security") works. If someone just a link or Search tip at hand, that would be super nice.

  5. #5
    Join Date
    Apr 2008
    Posts
    193

    Re: J2EE Authorization Model

    We store the assignment of users to roles in the database. A login module (JBoss) or a Custom User Registry (WebSphere) ensures that the user will receive a login and the necessary roles. The roles include such methods-permissions (also stored in the DB), which correspond to the deployment descriptor stored in the method permissions. This ensures that a user can use only the EJB methods that are associated with his role. This becomes especially good when the EJB methods are based on the technical processes (for us so). Positive to note is that the interfaces remain free.

  6. #6
    Join Date
    Apr 2010
    Posts
    90

    Re: J2EE Authorization Model

    Thanks again for the many answers and inspiration.

    But now even in principle (related to the J2EE specification, not the solutions suggested here) that's pretty idiotic. Almost every security model assigns users to groups (NT domains, * nix systems, LDAP, etc.). J2EE depicts this model of the Realms and Roles and then prevents the appropriate use due to a more or less reasonable limitation in the Specification. I am still not clear why the container has to know what roles I would query. (On the subject of "optimization" I remember as only the classic "early optimization is the root of all evil". I know the post is not very constructive, I just wanted to know if I am the only one who thinks so.

Similar Threads

  1. Replies: 8
    Last Post: 05-12-2011, 09:20 PM
  2. Properties of a J2EE application
    By Aaliya Seth in forum Software Development
    Replies: 5
    Last Post: 07-02-2010, 01:17 AM
  3. china mobile phone model: "INCOMP Model:W902A"
    By gerardmodeste in forum Portable Devices
    Replies: 1
    Last Post: 04-01-2010, 09:10 AM
  4. What is EJB role in J2EE?
    By VinFanatic in forum Software Development
    Replies: 3
    Last Post: 12-09-2009, 09:07 AM
  5. How to use jta transactionmanager J2EE
    By RasMus in forum Software Development
    Replies: 3
    Last Post: 10-08-2009, 11:33 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,656,474.64474 seconds with 17 queries