If I understand correctly your requirement, there is a fixed number of "system service" but the authorization required to access a given "system service" can be be dynamically changed.
As you wrote, you need the concepts of user, role and permission. A permission is used to represent the access on a resource, in your case there would be one permission per "system service". Permission can the be granted/denied to particular users or groups.
Unfortunately, only the concept of role and user has been standardized in the J2EE security model, this means that you will not be able to achieve this level of flexibility using the built-in declarative security (security defined using deployment descriptor or annotation).
If the system administrator add/remove/or change the role, you will need to change the deployment descriptor or annotation accordingly (note that if you are using deployment descriptors, you will not need to recompile your application, but only to repackage it).
I don't know if this is acceptable for your.
If not, this means that you will need to implement part the authorization mechanism yourself.
Here is a possible solution:
- let Glassfish manages the authentication;
- ge the Principal name available in the web or ejb tier;
- connect to the credential store (LDAP?) and get the list of roles for the Principal (note that isCallerInRole() will not work if the role is not defined in the deployment descriptor or annotations, so you probably need to fetch them yourself);
- implement the permission checking yourself (you probably need to store the mapping of permissions with groups in database).
We had essentially the same requirement and we implemented the solution described above. This is a bit tricky and if there is a simpler way to manage this situation I would be glad to hear it.
[Message sent by forum member 'ewernli' (ewernli)]
http://forums.java.net/jive/thread.jspa?messageID=278401