Confused about RBAC in J2EE
Hi,
So I'm just setting up some BASIC authentication in my web application which hasn't been too painful.
I am however a little stuck with a good strategy for my use case which I assume many people come across. Most of the examples of security for web apps I come across just try and protect a URL pattern or web application, but don't really go into lower level detail.
So I work for an international organisation that has say 3 websites, and let's say I have written an application that allows the page structure of each of those websites to be managed visually, so that site owners can manage their own sites without being developers.
There is a select pick list at the head of all pages that lists all the available web sites that can be modified. However, there are permissions that map a site owner (user) to the web sites s/he should be able to manage.
Therefore I need to both mask web sites in that list so if the permission is not present, you don;t see it, as well as protecting any URL hacks to try and get a website up that you're not allowed to see.
This is what I would call application leve permissions, and it is exactly this kind of stuff that I cannot see how to map back to the J2EE/Java security mechanisms.
As far as I can see, the roles for the use case are 3-fold, one for each territory say, e.g GB, US, AU. When defining a user, they can have 0 to 3 of these roles which is fine.
So the bit I am stuck on is how I map up the roles to the website list. I could provide my own mapping database table and custom logic for doing this but I need someone to confirm to me that there is nothing "out of the box" with J2E or Java security that can handle this kind of stuff, i.e is J2E security limited to just broad role definitions which can only map to URLs/webapps, and hooking it deeper into a custom application requires custom mappings? Because I also see that in RBAC the concept of Permission which is essentially what maps a Role to a Site in this case. Are there stadnard mechanisms for Permissions?
A little lost and bemused, AC.
