tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harish Prabandham <Harish.Praband...@Eng.Sun.COM>
Subject Re: Short Term Plan: Add Security Management Capabilities toTomcat
Date Sun, 17 Oct 1999 20:59:31 GMT
Ian Holsman wrote:

> I've recently being asked to help out with security requirements for a
> couple of web-based apps
> at a client (insurance coy).
>
> Some of the requirements which came out of the meetings were:
>
> * Heirachrial definition of roles.
>     ie. Managers can do everything clerks do plus xxx

Use RBAC (Role Based Access Control) with heirarchical definition
for roles.


>
>
> * Security based on location (as well as role)
>     ie. you are allowed more access if you are 'on' the  LAN than if you
> are outside
>

This is much more complicated. But can be easily simulated by creating
roles like:

UserOnLan
UserOutside


And performing a check programmatically.

if(isUserInRole("UserOnLan")) {
// do Something...
} else {
// something else....
}

Remember the user can belong to more than one role at the same time.

>
> * permission to access a invidividual policy
>     broker A can not see broker B's clients.
>

IMO, This is harder to do using the current spec. But can be simulated
by having an association with Principal (returned by getUserPrincipal) and
his/her customers.....


>
> I think the last one would be a bit too specific to implement, but the
> other two would be usefull for larger projects. (still unsure if this
> should be
> at the EJB level or the servlet level)
>
> ..Ian
>
> Pierpaolo Fumagalli wrote:
>
> > Hans Bergsten wrote:
> > > [...]
> > >     <group-member>pmc</group-member>
> > >     <user-member>brianb</user-member>
> > > [...]
> >
> > IMVHO This should be attributes, so they could be defined in the DTD as
> > IDREF and the whole stuff can be validated by the parser.
> >
> >         Pier
> > --
> > Pierpaolo Fumagalli - IBM Center for Java Technologies
> > <mailto:pifum18@us.ibm.com>   <mailto:pier@apache.org>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message