geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: Modify EJB security settings from JSP application
Date Mon, 04 Dec 2006 22:31:00 GMT

On Dec 2, 2006, at 7:27 PM, Diego L Espiñeira wrote:

> Hi, thanks for your reply
> The roles associated with each EJB method are defined at deployment  
> time
> (via deployment plan), but I need to let the users, such as a sysadmin
> (with not much experience on J2EE), to grant access for some EJB  
> methods
> to existent roles and to create new roles too using the web user
> interface of my application. Do I need to modify the deployment  
> plan to
> grant to a new role permissions for execution of an EJB method? Is  
> this
> feasible/reliable/good practice? Do I have to start looking at JACC?
> If that is the case, I didn't find much information about JACC. Can  
> you
> give me some tips? or just to point me in the right direction for that
> info?

I wrote up some stuff on JACC at 
display/GMOxDEV/JACC+Guide, maybe I'll figure out how to link to it  
from an existing page :-)

There are a lot of ways to deal with this, and I have no idea which  
if any would be suitable.   I really don't understand from the specs  
what is intended as far as changing roles and their definitions while  
the app is deployed.  Everything in the specs except some of the  
PolicyConfiguration interfaces seem to state unequivocally that you  
have to change the deployment descriptors to change the role -  
permission mapping, but the JACC spec and interfaces seem to allow  
and encourage changing them from some unspecified admin interface.   
Anyway geronimo doesn't have an admin interface for this right now.

It may not be entirely clear but the default geronimo jacc  
implementation kind of has 3 layers for getting from the user's  
identity to the permissions they get:

- the login configuration for the app constructs a Subject containing  
Principals.  You can adjust the login module's backing store at any  
time to change what principals go with each user.  There's no  
geronimo administration at all for this AFAIK (there might be a way  
to modify a properties realm, but I doubt a serious app is going to  
be using a properties realm)

- the principal-role mapping specified in some xml following geronimo- 
security-1.2.xsd, somewhere in your plan.  At the moment the only way  
to modify this is to change the plan and redeploy.  It would be  
possible to write an admin interface such as a console portlet for  
this.  I expect this would be generally useful.

- the role-permission mapping specified in the spec deployment  
descriptors.  Again, the only way to change this currently is to  
change the dds and redeploy, but a generic interface to modify this  
mapping is certainly possible.

  With both of these last two mappings, one major problem is that  
when you restart the app, you lose the changes.  Avoiding this would  
take a lot of work.

Here are a few ideas for how to solve this problem:

1. Start out with enough roles, such as one per ejb method, and one  
principal per role, with an obvious principal role mapping.  Then you  
can completely control  a user's permissions in the login  
configuration.  For instance if it's in a sql table, you can just  
edit the table's entries.  This is really simple and doesn't require  
anyone to write more code, but is apt IMO to be difficult to manage.

2. Help get TripleSec integrated.  This should provide a GUI  
(currently swing based IIUC) to do exactly what you want.  However, I  
think this is going to be a long term project.  The apache ds guys  
haven't even imported the triplesec code into apache yet :-(

3. write one or both of the runtime management features mentioned  
above, either the principal-role editor or the role-permissions  
editor.  I don't know how hard the editors would be, but I certainly  
don't have a solution for the persistence problem at this time.

Hmmm, I might have just expanded on my previous response..... anyway  
these might give you some more ideas.

david jencks

> Thank you very much
> On Sat, 2006-12-02 at 17:11 -0800, David Jencks wrote:
>> We don't have a way to do this at the moment.  Can you be more
>> specific about what you need to do?  Would it be sufficient to change
>> the principals that the login module adds to the user's Subject,
>> while keeping the principle-role mapping and role-permission mappings
>> the same?  That would just involve writing an interface into whatever
>> is backing your LoginModules.
>> Something that might be similar to what you need that I'm hoping to
>> get integrated into geronimo fairly soon is TripleSec, which is
>> supposed to move into the Apache Directory project any day now :-).
>> thanks
>> david jencks
>> On Dec 2, 2006, at 4:47 PM, Diego L Espiñeira wrote:
>>> How can I modify EJB security settings from an enterprise
>>> application?.
>>> I need to allow the user to assign permissions to users from the
>>> commodity of my web app's user interface ;)
>>> __________________________________________________
>>> Correo Yahoo!
>>> Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
>>> ¡Abrà tu cuenta ya! -
> __________________________________________________
> Correo Yahoo!
> Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
> ¡Abrí tu cuenta ya! -

View raw message