[JBoss-user] [Security & JAAS/JBoss] - Re: How to handle dynamic authorization?
Thanks Scott for the great insight. Do you think this would qualify as an enhancement request to the security interceptor, I hope? "Add/remove transient roles to the ejb security context using the security interceptor, to leverage the J2EE declarative security model" It seems that I cannot use the declarative security model because I cannot add to the ejb context using the interceptor. Today I cannot declaratively configure my security in the ejb-jar.xml for the updatePerson method so that I could have configured that manager, admin can update the person's record. This is because I'm not able to add to the security context based on the data that the person data being updated is by the manager. Your thoughts? http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3826924#3826924";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3826924>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: How to handle dynamic authorization?
Your hook is the interception of the ejb method call. You can do whatever you want to determine who the caller is. You cannot change the roles assigned to the user at authentication time. You permission access based on the derivced manager role and either allow the call or fail it with a SecurityException. http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3826627#3826627";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3826627>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: How to handle dynamic authorization?
In the custom security interceptor that I'll write up, would I have a hook to add to the roles? For eg. since I would dynamically figure out on the nature of the incoming data, if I'm the person's manager or not, I would have to add to the security context the "isManager" role. How can I do this? http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3826616#3826616";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3826616>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: How to handle dynamic authorization?
If the security check depends on the data coming in with the call then you really need to use a custom security interceptor. This can be handled by the current custom security proxy, or via your own custom security interceptor. http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3826595#3826595";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3826595>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security & JAAS/JBoss] - Re: How to handle dynamic authorization?
I expose a method in my remote interface called updatePerson(int personID) Now the only two roles that can execute this method are admin and isManager. Observe the person being updated is a parameter being passed into the updatePerson method in the remote interface. As I understand it, the CustomLoginModule would happen even before the method gets executed. Hence, I've to pass the personID to this module so that I can then establish the relationship to the caller. Or on the server side can I write a SecurityProxyInterceptor that can add the role "isManager" to the EJBContext? Thanks! http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3826593#3826593";>View the original post http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3826593>Reply to the post --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user