tags:

views:

162

answers:

5
+2  Q: 

JEE Role Management systems - do they exist?

I'm looking at creating a decentralised role-management system which integrates with JEE roles. Does anything like this exist?

Example use cases:

System A is a limited-access system which uses corporate roles. John joins a team, and requires SYSTEM_A_READONLY to perform his function. He logs on to the decentralised role-management system, and puts in a request for SYSTEM_A_READONLY. Bill is the administrator for System A, and receives a notification that John has applied for this access. He can then log on to the same system and approve the request. John now has access to System A.

System B is a sensitive customer management system. It has 1 role for each company that it serves. Currently it has SYSTEM_B_CLIENT_FOO, SYSTEM_B_CLIENT_BAR, etc. Greg is the administrator for this system, and he is notified by the sales team that TNT have signed on as a customer. He logs on to the role management system, and adds the new client. Web Application C (hosted remotely, but still using corporate roles) detects the new role, and adds it as an option for it's users.

Hope that makes sense. I've looked into making it myself, but it seems like a requirement that must be quite common.

A: 

We have used something very similay to what you are asking . Icefaces has renderonUserRole propery for their components , this can be combined with Spring Security to achive part of what you need. See this

Mite Mitreski  2010-01-07 13:44:42
Thanks, that does look useful, but I'm really looking for something to manage the roles (i.e. not hard-coded in configuration).
Robert Wilson  2010-01-07 14:19:50
+2  A: 

I don't think anything like this exists. The requirement indeed seems quite common, but I think appearances are deceiving. Every company, for ever (range of) application(s), will have very specific requirements concerning the interface to administer users and roles.

Depending on the requirements, it may also be reasonably simple to set up. If 'putting in a request' simply means 'an email is sent to the admin' and 'adding the client' means logging in using a simple, CRUD-framework generated, admin and filling out a form, then you are already done.

Confusion  2010-01-12 19:22:18
+1  A: 

There are some products out there to help you - things like crosslogix from bea.

These are generally logic decision engines that let you craft complex rules that allow for things like roles and permissions to be nested and hierarchal. they also (generally) allow for parameterized permission checks like *user is in role ACCOUNT_APPROVER if it's the last week of the month*.

"Detecting new roles" generally comes as a by-product of having the centralized system - i.e everything just queries it, and the API is very fast specifically to make querying a 'cheap' operation.

What they are generally not so good at (I guess as they perceive it's not in their space) is the workflow around approving access to these roles. They'll generally give you a console ( & an API ) to modify them, but leave the approval workflow up to you.

As the previous poster said - the problem with the approval bit is that it tends to be very company specific - so it's often left as an API.

In short - something like crosslogix would do half of what you need - the decision logic, and this, and most products give you a simple uber-console to manage the permission logic, but if you wanted company specific logic for approvals - you'd probably have to skin a website on top.

-ace

phatmanace  2010-01-12 23:46:25
+1  A: 

Well, to me, such a system exists and is called LDAP (LDAP groups are typically mapped to J2EE roles). But I admit that LDAP engine doesn't provide all the facilities and workflows that you mentioned. Actually, my experience is that these are specific to each company (maybe because of the lack of "universal" tool) and, most of time, companies I've worked for had custom admin applications and custom APIs to interact with it from applications.

Pascal Thivent  2010-01-13 00:19:20
+1  A: 

You could look at Apache Shiro http://incubator.apache.org/shiro/ although I'm not sure it's either ready for prime time or completely does what you're looking for out of the box.

You could develop the authorization components using Spring Security, specifically by implementing your own AccessDecisionVoter and UserDetailsService. The entities, persistence and web ui components are pretty straightforward, you could do those in whatever framework you're comfortable with.

Lance Weber  2010-01-13 18:03:01
Looks like a pretty good base to work from - thanks. Lot's of good answers here, but yours looks like the most interesting.
Robert Wilson  2010-01-18 11:23:24

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java