geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Dynamic security w/ highest integration level possible towards Geronimo
Date Mon, 15 Dec 2008 18:04:59 GMT
Hi Christian,

Your situation is similar to that of applications such as blog sites  
(e.g. roller) and portlas (e.g. jetspeed 2) where the content and  
access permissions is not really known when the application is  
deployed: for these you need to be able to add permissions for content  
that didn't exist when the app started (e.g. new blog, new portal page/ 
portlets).  Unfortunately javaee doesn't support this model: it  
assumes that all content and roles are known at deploy time.

The only way you can use a pure javaee security solution is if all  
your projects are known at deploy time, and then as you mention you'd  
have to define a role for each project and security constraints  
mapping the role to the url for the project.  This is unlikely to be  
scalable for you.

There are a lot of more or less special purpose security solutions for  
e.g. roller and jetspeed available but I would look into jsecurity  
which is now in the apache incubator.  I haven't used it myself but  
have heard very good things about it and I'm hoping to work on a  
geronimo-jsecurity integration.

thanks
david jencks

On Dec 15, 2008, at 3:32 AM, Christian Svensson wrote:

> Hello.
>
> I'm quite new in the "Programming towards J2EE" business so bare  
> with me if I missed some basic point.
> (Or if this mail on this mailing list is totally off topic)
>
> I'm developing an application that will serve as a web base file  
> storage archive.
> Customers will receive login credentials and be able to access  
> projects that they have been assigned (read: groups).
> There must also be a anonymous "mode" where projects that have an  
> anonymous flag will be shown and allowed access.
>
> What I'm looking to construct is something like this:
>
> User requests servlet at /access/test/. Parsing is done and a  
> question is popped to a database looking for the project "test".
> Test is found and is anonymous. File listing is shown.
>
> User requests servlet at /access/secret1/. Parsing is done and a  
> question is popped to a database looking for the project "secret1".
> Secret1 is found but is not anonymous - user is redirected to a FROM- 
> login.
> User logs in and file listing is shown.
>
> User requests servlet at /access/secret2/. Parsing is done and a  
> question is popped to a database looking for the project "secret2".
> Secret2 is found but is not anonymous and not assigned to User1 -  
> user is redirected to an Access Denied-page.
>
> I'm aware that it's possible to add security constraints to every  
> single /access/secret1, /access/secret2, /access/secret3 and so on,  
> but that is no fun.
> Also, I would need to add a role for each project.
>
> Basically what I want is some sort of dynamic role and security  
> constraint injection.
> What I've understood this is commonly solved using a filter - but  
> when I look at the existing functionality it comes annoyingly close  
> to what I need.
> Although, if filter is the J2EE way to solve this it brings me to my  
> next question: How do I manual test logins to the applications  
> security realm?
>
> Greetings,
>
> -- 
> Christian Svensson
> Command Systems


Mime
View raw message