users@javaee-security-spec.java.net

[javaee-security-spec users] [jsr375-experts] Re: Example of Permission usage in Java EE

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Fri, 3 Apr 2015 13:43:24 +0200

Hi,

On Fri, Apr 3, 2015 at 9:24 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
> With standardized group to role mapping, there would already be a fixed 2/3
> level hierarchy. I agree, maybe not of the flexibility as shown in the link
> you gave, but a true hierarchy nevertheless.

P.s. to elaborate on this:

The example in your link mentions:

"The simple permission string may work for simple applications, but it
requires you to have permissions like "viewNewsletter",
"deleteNewsletter", "createNewsletter", etc. [...]. But using this
approach there's no way to just say a user has "all newsletter
permissions".

And then using the multiple level solution:

"So if you wanted to grant a user all actions in the newsletter
domain, you could simply give them "newsletter:*". Now, any permission
check for "newsletter:XXX" will return true."

This particular example however can already be done by Java EE security.

You just create a group "newsletter" and then map "viewNewsletter",
"deleteNewsletter", "createNewsletter" to it, then you simply give a
user the group "newsletter". Now, any role check for "XXXNewsletter"
would return true.

Of course as I mentioned the token/wildcard approach is more flexible,
as I think it allows unlimited levels, and you can wildcard
intermediate nodes, e.g. as the example mentions, check for
"newsletter:*:13" (grant a user all actions for newsletter 13).

Kind regards,
Arjan Tijms





>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
>>
>>
>> Unfortunately, I'm not good in inventing names for things, but maybe other
>> members are more creative.
>>
>> regards
>> Rudy
>>
>> (1)
>> https://shiro.apache.org/static/1.2.3/apidocs/org/apache/shiro/authz/permission/WildcardPermission.html
>>
>> On 2 April 2015 at 22:59, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> The term "permission" came up a couple of times in discussions of this
>>> EG. While I certainly understand the intuitive feeling around this term, one
>>> somewhat thorny issue is that this name is already taken in Java EE
>>> security.
>>>
>>> To illustrate this I wrote the following article:
>>> http://arjan-tijms.omnifaces.org/2015/04/how-java-ee-translates-webxml.html
>>>
>>> Hope this may be helpful.
>>>
>>> Kind regards,
>>> Arjan Tijms
>>
>>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.