Hi Joni,
That sounds pretty interesting, however, I still have some doubts.
Let's see:
.- Where do you get the user from (the one you use with
user.getSubject()). Can these users be specified dynamically through a
standard interface? Or do they have to be specified in a container
specific way?
.- Can the policy file be specified on a "per web application basis" or
does it just exist one policy file for the whole system? This way I
could specify the security of my applications independendently. And
could this information be extracted from a database/URL instead of a
system file?
Just curious to see how I could use this standard API without losing all
the flexibility and dynamicity that I've already accomplished with my
own implementation.
Regards and thanks for the info,
D.
Joni Suominen wrote:
>
> Hi Daniel,
>
> JAAS is not necessarily tied to the OS user. Actually you can tie it to
> the OS user by using proper login modules which can authenticate if a
> user is already logged into an OS. However, in a true Java spirit, JAAS
> is much more generic. In fact it is just a framework to implement
> versatile authentication and authorization schemes. For instance, I
> authenticate user's against a relational database (some might use LDAP).
> The JAAS provides abstractions to represent user's identity and
> permissions. It also provides algortihms to check if configured security
> policy implies certain permission.
>
> Some sample code:
>
> PagePermission pagePermission = new
> PagePermission("admin");
> PermissionCollection pc =
> Policy.getPolicy().getPermissions(user.getSubject(), null);
>
> if (pc.implies(pagePermission)) {
> // authorization succeeded...
> }
> else {
> // authorization failed, the current user don't have a permission to
> view a page on this domain.
> }
>
> Then on policy file I might have:
>
> grant Principal org.shiftctrl.framework.security.SCGroupPrincipal
> "admin" {
> permission
> org.shiftctrl.framework.security.permissions.PagePermission "admin";
> };
>
> This way it is easy to implement multiuser Java applications where
> accesses are controlled on per-user or per-group level. JAAS is also
> integrated to the JDK 1.4, like the new logging API you mentioned.
>
> --
> Joni
> [EMAIL PROTECTED]
>
<snipped...>
