Am Thu, 28 Apr 2011 08:02:38 -0700 (PDT)
schrieb ljnelson <ljnelson_at_gmail.com>:
> > As another thought, couldn't I somehow make use of JAAS and map JAAS
> > principals to (application specific) roles for use with
> > @RolesAllowed in some way?
> >
>
> Well, JACC is a specification that governs how JAAS is to be used in
> a Java EE environment.
> Ultimately, JAAS uses a Policy. JACC formalizes what kinds of
> Permissions get handed to a Policy in the world of a Java EE
> application.
Ah, thanks for clarifying and sorry for the mess-up. Looking at the
state of APIs and technologies in Java EE > 1.4, I have to say that
this is not (yet?) on par with servlets and friends from an ease-of-use
point of view, which eventually is not a good thing as we're talking
about security. ;)
Anyway: At the moment I try evaluating which solutions are at hand to
be used in our case. This is how I see things at the moment:
* Use the @RolesAllowed and, ultimately, JACC and java.security.Policy.
This is a tedious bunch of work which would not be too difficult, but
from my point of view this goes too deep into the whole rest of the
infrastructure as, as pointed out before, it is effective not just on
application- or application server but even on VM level. Given our
current lack of experience with this technology, from my point of
view this is too risky to be a real option.
* Go for a "proprietary" way and make use of a servlet filter wrapped
around the JAX-RS endpoints to take care of auth and access control.
This is not a really clean way but it seems the least painful in
terms of overall scope of changes as it just affects the resources to
be protected.
* Find another option on a level not as low/general as
java.security.Policy to just take care of the features we need. Given
in most cases there are many ways of how to extend or hook into
existing technologies, I really am surprised to see this ain't
possible here. After reading through [1], I stumbled across [2] in
order to write a custom (Glassfish) realm to provide just what we
need here - domain-specific user and group names to then be mapped to
application specific roles, but, given our elaborations on JACC, I am
unsure whether this would really do what we need here.
Thoughts on that, anyone? Would the custom-realm approach (a) work and
(b) do? Any pitfalls, ... to expect here?
TIA and all the best,
Kristian
[1]
http://download.oracle.com/javaee/5/tutorial/doc/bnbxj.html
[2]
http://blogs.sun.com/nithya/entry/groups_in_custom_realms