JAAS good for RBAC?

Thread view:

William Z. - 23 Mar 2006 01:05 GMT

I am doing a web app where I will have 4 different user roles and need
to have some sort of role based access control. I have a main admin user
which needs to be able to grant priveledges to all the other roles, and
each other role can grant privs to the role less than it. Also, each
role will need to be logged in w/ some type of login system.

I'm wondering if JAAS is good for this or if there is something better
that makes a good implementation.

Reply to this Message

Dag Sunde - 23 Mar 2006 01:40 GMT

>I am doing a web app where I will have 4 different user roles and need to
>have some sort of role based access control. I have a main admin user which
[quoted text clipped - 4 lines]
> I'm wondering if JAAS is good for this or if there is something better
> that makes a good implementation.

Never really looked into it, but can the "Role" pattern be of use?
http://st-www.cs.uiuc.edu/users/hanmer/PLoP-97/Proceedings/riehle.pdf

Signature

Dag.

Reply to this Message

Oliver Wong - 24 Mar 2006 19:34 GMT

Never heard of JAAS before your post, but after some quick googling, I
found
http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/tutorials/GeneralAcnAndA
zn.html

You assign permissions based on principals, and every user can have
multiple principals associated to them (a given collection of principals
that a user has is called a subject). So a user who is both, for example, an
"Backup Technician" and a "Programmer" would simply have both the "Backup
Technician" principal, and the "Programmer" principal.

By having the "Backup Technician" principals, she'd have access to
scheduling the backup processes, and the backup tapes. By having the
"Programmer" principals, she'd have access to CVS and perhaps the wiki where
documentation is stored. (This is assuming that all of this stuff is control
from Java).

- Oliver

Reply to this Message

JAAS good for RBAC?

Free Magazines