tags:

views:

346

answers:

1
+1  Q: 

dynamic roles on a Java EE server

I want to manage user and roles in a dedicated application. For example a user of this application ("customerX boss") can create a new role "customerX employee". If an employee accesses the Java EE application server (GlassFish 3) he should get the role "customerX employee".

It sounds simple, but it is not supported by Java EE, because groups are mapped to roles at start-up time and the roles within the application are static.

What is the best way to manage user roles at runtime in a Java EE (6) environment?

+3  A: 

The declarative security in JEE is indeed no suited for such requirements. The problem of security can be split in two:

  • authentication
  • authorization

I had similar requirement once. We used the built-in authentication to have the principal set and relied then on the default JEE login mechanisms. But we ended up managing the authorization part manually at the applicative-level.

Indeed, even the roles that will be loaded and associated with the principal (isUserInRole for the web and isCallerInRole for the EJB) need to be specified in web.xml or ejb.xml which doesn't provide enough flexibility. We had then to load the roles manually (according to the principal) from LDAP or ActiveDirectory. We then used EJB3 interceptors and Servlet filter to perform the security checks ourselves.

I would however strongly suggest to stick to a Role-based access control (RBAC) and not implement something more fancy. There are several frameworks that can help to deal with home-made RBAC.

We also had a look at JSecurity and Acegi Security and they seemed interesting.

ewernli  2010-02-09 17:32:24
Thanks for your answer, especially for the hint that even dynamically set roles have to be declared statically in web.xml or ejb.xml! That would have been the next pitfall for me. I will check out JSecurity an Spring Security (the successor of Acegi) http://static.springsource.org/spring-security/site/index.html.
deamon  2010-02-09 18:07:24
JSecurity is now called "Shiro". http://cwiki.apache.org/confluence/display/SHIRO/Index
deamon  2010-02-09 18:28:40
Yes, roles declared with `<security-role>` or `@DeclaredRoles` are actually symbolic names that should be mapped to the role in the external directory (e.g. LDAP) using `<security-role-mapping>`. If the mapping is 1-to-1, Glassfish has an option "default principal to role mapping", but that's only half of the solution and you must still list the role somewhere.
ewernli  2010-02-09 19:11:27
There is also no way to actually list all roles a user has with the JEE API. You will need to iterate over the fixed list of role and use `isCallerInRole` or `isUserInRole`. There are some way to downcast the `Principal` and then get the list of roles, but it's not portable I think (I don't remember exactly for this one).
ewernli  2010-02-09 19:12:23

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java