From: Jason D. <ja...@bo...> - 2001-05-23 19:43:33
|
Ok, then does it make sense to rely on JAAS for all of the security aspects of a system, or is the technology not mature enough yet? Specifically can it be used to limit access to methods or individual resources (such as a file or a database record marked with some identifier) based on a single user login point? Or will the application have to maintain some extra login state to achieve this level of security? --jason On Wed, 23 May 2001, Scott M Stark wrote: > Reliance on static files is not a requirement; its simply the default mode. In > the JBossSX codebase is an example custom javax.security.auth.Policy > implementation that obtains permission info from a IAppPolicyStore which > could be a database, ldap server, etc. The prototype uses an xml file. > > JNDI cannot be secured via JAAS currently simply because it does not > make any permission checks. A future version of jnp will support secured > access via subject based permissions. > > ----- Original Message ----- > From: "Jason Dillon" <ja...@bo...> > To: <jbo...@li...> > Sent: Tuesday, May 22, 2001 6:13 PM > Subject: [JBoss-user] JAAS & JBossSX vs Application Security > > > > Hello, I am trying to figure out what the *best* approach is for adding > > robust security to a highly distributed JMX/EJB/JMS application. I have > > just looked over the docs about JAAS as well as the JBossSX guide and I > > still do not have a good feel for what is the correct approach for what I > > am trying to do. > > > > JAAS looks like it follows the basic Java 2 security model, which relies on a > > static file to list who has access to what, which seems a little odd since > > in most cases the 'who' is probably listed somewhere in a database, so I am > > a little confused by there examples. > > > > Currently we perform the authentication ourselves, via an ejb call that > > returns a session bean that represents what that user can do. This has some > > obvious issues, like if the user just tried to lookup an object which they > > are not supposed to directly instead of going through the gateway. > > > > It looks like JAAS/JBossSX might solve, this forcing the user to login > > first, but it is unclear how that would solve all of the access problems > > that might occur. > > > > Say User A created a file "user_a_private_stuff" via the FileManager bean, > > how would I prevent User B from logging in, creating a FM bean then reading > > that file? > > > > Can the security framework be used to replace most (if not all) other > > aspects of security, such as forcing users through a gateway "access > > manager" bean? > > > > Can it be used to grant/limit access to fine grained resources based on > > principal or credentials retrieved from a database lookup (via an entity > > bean)? > > > > Is there any way to limit access via JNDI by this method? > > > > Does anyone know of any detailed documentation/examples of non-trivial > > security implementations (like users with a set of permissions, application > > code that can check for a given permission or set of permissions as well as > > the identity of a user before executing an action, and storing all of that > > information in a database). > > > > Or perhaps there is a way to use session beans similar to a servlet session > > to store this data... I just don't know. =( > > > > Any help would be appreciated. > > > > --jason > > > > > > _______________________________________________ > > JBoss-user mailing list > > JBo...@li... > > http://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > _______________________________________________ > JBoss-user mailing list > JBo...@li... > http://lists.sourceforge.net/lists/listinfo/jboss-user > |