Object vs Class base authorization concepts with J2EE/JAAS
Hello,
I'm evaluating J2EE and JAAS and I'm wondering how I can implement my business model using these techniques:
As far as I understand JAAS, it's a class based authorization architecture. What I need is an object based architecture, specially when using CMP entity beans.
Is it possible to design an object based access control based on JAAS and (perhaps) CMP entity beans?
More detailed:
Let's look at a simple (web-) application: A database contains only a table with documents, a document consists of an ID (primary key) and some plain text.
I've got two EJB, one for editing documents and one for reading documents.
Now I can easily design my application with J2EE and JAAS:
An "editor" role with access on the edit bean and a "reader" role with access on the reader bean.
The document class could be easily implemented as a CMP entity.
BUT: What happens if I need a restriction on WHAT documents a user/role can edit/read, in other words, if authorization is not controlled by the EJB (code/class based) but by the ID (primary key/object based).
E.g.
User1 should have read access on Doc1, but not on Doc2.
User2 should have read and write access on Doc2, but not on Doc1...
As far as I understand JAAS, it's not possible to solve this problem using JAAS. If this is right, then I have to implement my own authorization system, JAAS could only be used for authentication. In this case, JAAS is just a tier in the security concept, just like different database users with restricted access to different tables and fields.
If I'm right, then it's not possible (or possible but it makes no sense) to use CMP entity beans, because I can't use the "automatic" authorization pattern (I have to call my own access control system before invoking the entity bean, and so my clients loose some of their "leightweight").
Regards,
Jens
