Authorisation: controlling access to objects/data
Hi all,
I am looking for some pointers to design patterns that deal with authorisation.
The issue at hand is the following: for an enterprise application we need to implement a mechanism that manages user-access to certain data. Example: if a user asks for sales-figures, only the data that he/she is allowed to see (e.g. based on office) should be included in the result.
The question that we asks ourselves is: do we set up a separate authorisation manager (sessionbean) that includes all the business logic to restrict user-access, or do we make the specific objects (entity beans) responsible for this.
The latter solution would take the form of: entitybean Office, getSalesFigures(Year, User) method; based on the User object access is granted or not. The method will return 0 if the user has no access.
Feedback is appreciated.
Regards,
Jaap
[903 byte] By [
baudrate] at [2007-9-27 15:47:57]
Hi,
The Composite View pattern http://java.sun.com/blueprints/corej2eepatterns/Patterns/CompositeView.html
has some discussion about applying security based on user roles.
Also the Intercepting Filter pattern
http://java.sun.com/blueprints/corej2eepatterns/Patterns/InterceptingFilter.html
can be used to apply security checks. The Java petstore applies this pattern for self-registration of users, and this is explained in more detail at
http://java.sun.com/blueprints/patterns/InterceptingFilter.html which includes an explantion of the pattern being applied, and also a link the details of its implementation at
http://java.sun.com/blueprints/guidelines/designing_enterprise_applications_2e/sample-app/sample-app1.3.1a3.html#wp1065478
These should give you a good starting point for designing role based security. The petstore used a seperate module for security because it was allowing self-registration of users. If your application does not allow users to create and manage their own user accounts(like yahoo mail etc) and instead all accounts are set up administratively(someone in the company sets up each user account), then the J2EE platform may provide the capabilities you require and you may not need to write a separate module.
The J2EE programming model also has a lot of support for role based security. So you may be able to leverage the J2EE environment to do much of the work for you. The J2EE security model is described in the security chapter of the BluePrints book at
http://java.sun.com/blueprints/guidelines/designing_enterprise_applications_2e/index.html
hope that helps,
Sean
I feel your pain. Unfortunately the J2EE spec has no concept of instance based security (something that would allow you to accomplish your goal very easily). Most applications that require instance based security have to build that into the application - not a very good or reusable approach.We first hit this problem several years ago on a project for Alamo. Our solution was to develop a security server that took care of the instance based security. We have since used this security server on several other projects. If you would like more information on how we implemented the security server or instance based security in general, send may an email (mbz at urbancode.com).
--Maciej
www.urbancode.com
not sure if relevant,
The JavaTM Authentication and Authorization Service (JAAS) is a package that enables services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization.
I am familiar with JAAS, but it simply does not provide an answer to instance based authorization. Java security is great if you want to know whether one user is able to create orders and another users is able to only view orders. Unfortunately, in most real world applications that is not the important question since all users can create and view orders. The important question is whether a specific user (Mary) can view a specific order (an order placed by Jack). JAAS has no support for answering that question.
this is something that our company has been struggling with for quite some time. if your code is being executed through an application server of some kind (JBoss for us), there is some support out there for the JCA specification. JCA allows for the application server to cache the username/password from JAAS and try and use it to connect to you DB. this spec is a part of j2ee 1.3, and each application server implements it differently (if at all). from there it's dependent on your database security to limit user A from viewing user B's order's.
again, there is support for JCA in most application servers, and most database servers have the ability to limit viewing of content based on who is logged in.
we're currently investigating JCA with jboss 3.0, and haven't got it functioning yet, but it looks very promising! let me know if you have any questions.
incase anyone is interested, here's a link to the thread that i started when we started having these same questions: http://forum.java.sun.com/thread.jsp?thread=255252&forum=92&message=991345hopefully this will help someone else out there!
I like the word "pain".
We are looking into replacing our current application with a J2EE platform. I read through the Sun J2EE Tutorial, I do not see anywhere the possibility of supporting object-level access control.
We can not use entity beans because cmp circumvent any security and bmp is awkward and leaky. My current thought is that we'll try the JDO approach to persist object ourselves, and do access control there.
I do not know if any of the J2EE vendors have any extension that we can use.
What a shame ! A simple thing turned into a major problem !
Please send me anything on how you solved this problem.
Hello,I also had a look on JAAS and found this article: Extend JAAS for class instance-level authorization http://www-106.ibm.com/developerworks/java/library/j-jaas/Currently I did not try it, but I think this this could give a hint.Regardschris
