[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Regarding JEE security with fortress

To: openldap-fortress@openldap.org
Subject: Re: Regarding JEE security with fortress
From: Shawn McKinney <shawn.mckinney@jts.us>
Date: Fri, 20 Dec 2013 07:40:02 -0600
In-reply-to: <CAJtV1dT6sD=R9z701PULw=sZ5U3boqgWgWfD5EKThKCLLhFLdg@mail.gmail.com>
Organization: JoshuaTree Software
References: <CAJtV1dSbEGO167hOq9GRJ0w0hAuX+ehPDSceQ4Uhem7C6nNs1w@mail.gmail.com> <CAJtV1dT6sD=R9z701PULw=sZ5U3boqgWgWfD5EKThKCLLhFLdg@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0

Hello Ramandeep,

Yes you are indeed describing one of the limitations for traditional JEE security, or perhaps more correctly - pre-JACC JEE security. While providing a JACC provider is on our roadmap in the meantime you can work around the limiation by using hierarchical roles. That is to say you place the parent role within the JEE deployment descriptor. This declaration does not need to change. New users (who presumably require new roles), will be assigned a role that has the JEE role (declared in web.xml) as parent.

Note this is a prescription for coarse-grained security. JEE security is providing authentiation and validation that user has at least one of the roles required to hit the app. This means the container will make sure a user doesn't wander into the app unnecessarily by stopping him or her at the front door. Finer-grained checks, i.e. fortress-style permission checks, happen deeper in the app and will enforce the application security controls. The best place for the fine-grained checks is inside spring or application framework as described in this paper/sample application:

https://symas.com/kb/using-ansi-rbac-security-enforcement-inside-wicket-6-x-applications/

Shawn

On 11/29/2013 07:50 AM, raman nanda wrote:

Hi,

Resending.

Regards,
Ramandeep

On Nov 29, 2013 3:10 PM, "raman nanda" <ramannanda9@gmail.com> wrote:

Hi,

I have been browsing the example of security posted on iamfortress. I have a query, I would be glad if anyone can answer it.

Fortress security requires that the roles be defined in the deployment descriptor i.e web.xml . Now as we have to define the roles in the deployment descriptor ; So even though we can create new roles using the SDK, we would have to redeploy the application with new deployment descriptor every time a new role is added. Apache Shiro on other hand uses a filter and all you need to specify is where to find the roles and permissions. You do not have to declare them in the deployment descriptor. Is there something of this sort available with fortress ?

Any thoughts on how to overcome this limitation ?

Regards,
--
Ramandeep Singh
http://ramannanda.blogspot.com
ramannanda9@gmail.com

-- 
Shawn McKinney
shawn.mckinney@jts.us

References:
- Re: Regarding JEE security with fortress
  - From: raman nanda <ramannanda9@gmail.com>

Prev by Date: Re: Regarding SDK API usage
Next by Date: Re: Members in PoolMgr
Index(es):
- Chronological
- Thread