You'd need to create some sort of "connect" facility, something along the lines of what's used for JMS or the database.
The Cache itself would have a security interceptor that would check that the principal was set, then match the roles/etc. against the permissions for modifiying or reading nodes in a particular region.
Here's one idea:
| Cache cache = (Cache)new
| InitialContext().lookup("java:comp/env/mycache");
| cache.connect("joe", "secret");
| cache.get("foo", "key1");
| //
| cache.logout();
|
Alternatively, to keep the cache interface small, maybe a wrapper?
| cs = new CacheSecurity(cache);
| cs.connect("joe", "secret");
| cs.logout();
|
The security association would be kept in a thread local. One thing that is sort of bad is that the association might leak without the logout called each time. Maybe this would be more robust:
| public interface SecureCache extends Cache {
| public void connect(String user, String pw) throws CacheSecurityException;
| public void logout();
| }
| SecureCache c = SecureCacheFactory.lookup("java:comp/env/mycache");
| cs.connect("joe", "secret");
| cs.logout();
|
Each "SecureCache" would be a simple wrapper around a regular cache. This way, the assocation would be matched against the instance variable. Also, if the cache in JNDI was accessed in the normal way, it would fail.
One fine point would be to have the allowed roles and regions set in the connect method and the interceptor would simply do the method checks.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3954721#3954721
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3954721
|
