users@glassfish.java.net

Re: Dynamic role handling

From: Bobby Bissett - Javasoft <Robert.Bissett_at_Sun.COM>
Date: Wed, 16 May 2007 14:56:04 -0400

> JDBC Realm this can be realized very easy. So, my question is is it
> possible to retrieve or to receive the invoker EnterpriseBean?
> The best variant will be if in the JavaEE 5 Security this method looks:
> * getGroupNames(String username, EnterpriseBean targetObject)*
> The existing getGroupNames can be specified as follow:
> * getGroupNames(String username)
> {
> **getGroupNames(**username, null**);*
> * }

I'm not aware of anything like this, since the groups are mapped to
roles statically without other information such as beans (the mappings
are scoped to the whole application). This could be an interesting RFE
if you'd like to file it.

Asking around the security team, it was suggested that you can do what
you'd like by writing a custom policy module that modifies the required
privileges to match the resource, or that adds additional privilege
attributes to the access control context/protection domain (based on the
target resource) used in the policy evaluation.

Or you could write a server auth module that adds additional privilege
attributes based on the target resource (which would likely be simpler),
but this approach could be problematic if the same credentials are used
on a request to another resource.

I think you're already having another thread about jsr 196 (writing your
own auth module), but you can get more details from
http://jcp.org/en/jsr/detail?id=196.

Cheers,
Bobby