Skip to main content

HELP with security requirements

2 replies [Last post]
gviera
Offline
Joined: 2005-07-22

Dear All,

I´ve been working with J2EE for a while and now i am facing a requirement I assume J2EE can face but I would like some professional orientation.

I´m developing a financial systema, Web & server, using GalssFish. The requirement I have is that "any system service" as I call the operations accessible from the client (web app) should be permission secured, that means, that for each User or Role, I sould be able to configure wich system services it can access ( at least) or more in depth wich level of security it has.

Roles are not fixed, the sysadmin should be able to configure any Role, and assign to it any User, what is fixed are the system services. The permissions to each role for system service access should be configurable.

I hope the explanation is understandable,

Can anyone help me in order to assume this is possible with glassfish, and where could I read something nearly close to what I need (i´ve read JEE tutorial, and a buch of papers of security in EJB and Web tier but none provides information for my requieremtent).

Regards,

Germán Viera.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
monzillo
Offline
Joined: 2004-05-08

if your services are fixed, then would it be sufficient to define (at least) one Role to control access to each service, and to map each such role either explicitly or implicitly to a Group (principal) and then to manage access to your services by defining (or changing) the groups to which your individual users are assigned. This is generally regarded as best practice. You may have other requirements which make the above insufficient.

Ron

ewernli
Offline
Joined: 2007-10-21

If I understand correctly your requirement, there is a fixed number of "system service" but the authorization required to access a given "system service" can be be dynamically changed.

As you wrote, you need the concepts of user, role and permission. A permission is used to represent the access on a resource, in your case there would be one permission per "system service". Permission can the be granted/denied to particular users or groups.

Unfortunately, only the concept of role and user has been standardized in the J2EE security model, this means that you will not be able to achieve this level of flexibility using the built-in declarative security (security defined using deployment descriptor or annotation).

If the system administrator add/remove/or change the role, you will need to change the deployment descriptor or annotation accordingly (note that if you are using deployment descriptors, you will not need to recompile your application, but only to repackage it).

I don't know if this is acceptable for your.

If not, this means that you will need to implement part the authorization mechanism yourself.
Here is a possible solution:
- let Glassfish manages the authentication;
- ge the Principal name available in the web or ejb tier;
- connect to the credential store (LDAP?) and get the list of roles for the Principal (note that isCallerInRole() will not work if the role is not defined in the deployment descriptor or annotations, so you probably need to fetch them yourself);
- implement the permission checking yourself (you probably need to store the mapping of permissions with groups in database).

We had essentially the same requirement and we implemented the solution described above. This is a bit tricky and if there is a simpler way to manage this situation I would be glad to hear it.