Hi all.

My problem is as follows: I want to deploy a system on IBM WAS where the
"standard" role-based security (based on EJB methods) is not sufficient.
Actually what I need is a "two-phase" authorization, based on
"assignments", according to the following rules:

* The role of the user defines which types of assignments s/he may carry
out. E.g. Manager can perform assignments of types A, B & C, Employee can
perform assignments of types C & D etc.

* The user logs in and (according to his/her role) selects an assignment
and starts to run it. The methods that I want to make available depend on
the type of the assignment, e.g. for assignment type A methods 1, 2 & 3
are available, for assignment type B methods 3 & 4 etc.

I tried to see if I can use (or abuse) JAAS roles and EJB methods (then I
don't have to implement the authorization myself). The problems that I
can forsee are:

+ Mapping of roles to users is quite "static", i.e. holds for the whole
HTTP session and not for just a part of it. I haven't found a neat way to
deprive a user of a role s/he already has as soon as the relevant
assignment is completed.

+ Another problem is that I want to avoid interaction between two
concurrent assignments: the role-based authorization holds for a session,
whereas I want the authorization to hold only for a specific assignment.
In other words, if the user is carrying out 2 assignments at the same
time of different types (in two different browser windows), then the
methods for assignment type A should only be available for that
assignment and not for the assignment of type B (and vice versa).

In the worse case we would have to implement the assignment-based
authorization ourselves, but if there's some mechanism out there we would
of course prefer to use it. Does anyone have experience with this
situation?

Your help is much appreciated.
Best regards,

Roy Reshef
B/CICT
Belastingdienst, The Netherlands