users@glassfish.java.net

Re: Dynamic role handling

From: Miroslav Nachev <miro_at_space-comm.com>
Date: Thu, 17 May 2007 11:20:34 +0300

Hi Bobby,

> I'm not aware of anything like this, since the groups are mapped to
> roles statically without other information such as beans (the mappings
> are scoped to the whole application). This could be an interesting RFE
> if you'd like to file it.
Yes, I can try to do that. Do you have any requirements or templates how
to looks the document?
How can I submit this in jsr 196? Or where to send?
If I do some reference implementation where to send it?

At the moment the problem that I don't know how to resolve is how to
pass the invoker EnterprsieBean to the Realm in method getGroupNames?


Best Regards,
Miroslav Nachev


Bobby Bissett - Javasoft wrote:
>> JDBC Realm this can be realized very easy. So, my question is is it
>> possible to retrieve or to receive the invoker EnterpriseBean?
>> The best variant will be if in the JavaEE 5 Security this method looks:
>> * getGroupNames(String username, EnterpriseBean targetObject)*
>> The existing getGroupNames can be specified as follow:
>> * getGroupNames(String username)
>> {
>> **getGroupNames(**username, null**);*
>> * }
>
> I'm not aware of anything like this, since the groups are mapped to
> roles statically without other information such as beans (the mappings
> are scoped to the whole application). This could be an interesting RFE
> if you'd like to file it.
>
> Asking around the security team, it was suggested that you can do what
> you'd like by writing a custom policy module that modifies the
> required privileges to match the resource, or that adds additional
> privilege attributes to the access control context/protection domain
> (based on the target resource) used in the policy evaluation.
>
> Or you could write a server auth module that adds additional privilege
> attributes based on the target resource (which would likely be
> simpler), but this approach could be problematic if the same
> credentials are used on a request to another resource.
>
> I think you're already having another thread about jsr 196 (writing
> your own auth module), but you can get more details from
> http://jcp.org/en/jsr/detail?id=196.
>
> Cheers,
> Bobby
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>