dev@jsr311.java.net

SecurityContext idea

From: Ryan McDonough <ryan_at_damnhandy.com>
Date: Thu, 20 Sep 2007 08:50:20 -0400

All,

Attached is an idea for an injectable SecurityContext interface that would
provide access to security related information. Usage of this interface
would be as follows:

class PeopleResource {

   @HttpContext SecurityContext securityContext;

   @UriTemplate("{id}")
   PersonResource getPerson(@UriParam("id) String id) {
     if (securityContext.isUserInRole("paidSubscriber")) {
       return PaidPersonResource(id);
     } else {
       return CheapSkatePersonResource(id);
     }
   }
 }

Additionally, you could test that the PaidPersonResource is being requested
over a secure channel:

class PeopleResource {

    @HttpContext SecurityContext securityContext;

   @UriTemplate("{id}")
   PersonResource getPerson(@UriParam("id) String id) {
     if (securityContext.isUserInRole("paidSubscriber")) {
       if(securityContext.isTransportSecure()) {
          return PaidPersonResource(id);
       }else {
          //-- Return Error
       }

     } else {
       return CheapSkatePersonResource(id);
     }
   }
 }

Optionally, we could use JSR-250 annotation to perform the same task
declaratively:


class PeopleResource {

   @UriTemplate("{id}")
   @RolesAllowed({"paidSubscriber"})
   PersonResource getPaidPersonResource(@UriParam("id) String id) {
     return PaidPersonResource(id);
   }

   @UriTemplate("{id}")
   @RolesAllowed({"basic"})
   PersonResource getCheapSkatePersonResource(UriParam("id) String id) {
     return CheapSkatePersonResource(id);
   }
 }

As far as configuring a security domain, this is probably something best
left to the container, but I haven't worked out the exact details yet.

Ryan-
-- 
Ryan J. McDonough
http://www.damnhandy.com