> Thanks Ron!
>
> > although it would help if you can describe how the
> application would know how to handle roles that it
> didn't know about at the time it was developed?
>
> My JEE application reads reports from a file system,
> which were written there by another application. Our
> security policy implies that a user has to be member
> of a group with a name which is the same as a folder
> name in the file system.
>
> So the idea is that the reporting guys could simply
> create a new role by adding a folder to the file
> system and a group to the ldap server.
>
> I know that this is quite a strange architecture but
> integration isn't always an easy thing :-)
thanks, I was trying to understand how any app could be expected to know how to handle roles it didn't know (at the time the app was compiled) how to name and handle. I was trying to figure out if there are real cases where one cannot predict the relevant role name, and yet somehow will know how to enforce the semantics associated with the role. It looks to me that in your use case, role-names are predictable, as well as the associated access semantics. As such, I would expect that you know the role-name to test, based on the target folder-name; which should allow you to be able to fully implement your use case with isUserInRole.
that said, if I have misunderstood, or for anyone who needs to know how to determine the (dynamic) role-memberships of their caller, please check out the description at:
http://blogs.sun.com/monzillo/entry/using_jacc_to_determine_a
[Message sent by forum member 'monzillo' (monzillo)]
http://forums.java.net/jive/thread.jspa?messageID=294001