EJB role security

[davout]

As a newbie to EJB apps I can see that roles may be applied to bean level
methods to allow the container to manage entity class level permissions.

But what happens if you want to apply access control permisions to
individual instances of a class? For instance I have a session bean that
provides add/delete/update methods on currency rates for different
currencies.

interface CurrencyRateManager {
public void updateRate(String aCurrencyCode, double aRate);
}

The standard EJB mechanism allows me to set a role against the 'update'
method, but this doesn't distinguish between what currency is being changed.
For example how would I apply security controls at a method level that only
allowed 'joe' to update 'Yen' rates and 'fred' to update 'dollar' rates?

 

[Sudsy]

davout wrote:

The standard EJB mechanism allows me to set a role against the 'update'
method, but this doesn't distinguish between what currency is being changed.
For example how would I apply security controls at a method level that only
allowed 'joe' to update 'Yen' rates and 'fred' to update 'dollar' rates?

Programmatically. See HttpServletRequest#isUserInRole.

 

[davout]

Please explain further....

How and where do I set up something to control that user 'joe' can update
Yen rates and user 'fred' dollar rates - both through the same bean method.

 

[Sudsy]

Please explain further....

How and where do I set up something to control that user 'joe' can update
Yen rates and user 'fred' dollar rates - both through the same bean method.

Create a couple of roles: YenManager and DollarManager. Make joe a
member of YenManager and fred a member of DollarManager. Give both
roles access to the update method. Inside the method do something
like this:

if( currency.equals( "yen" ) &&
!ctx.isCallerInRole( "YenManager" ) ) {
throw( new CurrencyManagerException( "not in correct role" ) );
}
if( currency.equals( "dollar" ) &&
!ctx.isCallerInRole( "DollarManager" ) ) {
throw( new CurrencyManagerException( "not in correct role" ) );
}

This assumes that ctx is a reference to the EntityContext passed
as the argument to your setEntityContext method and that you've
defined a custom exception called CurrencyManagerException and
specified that the update method can throw that exception.

 

[davout]

Are the new roles defined in the bean XML config file?

If so, how do I dynamically create new roles for new currencies?

 

[Sudsy]

Are the new roles defined in the bean XML config file?

If so, how do I dynamically create new roles for new currencies?

Okay, so now I can see that there are some big gaps here. Role
management is a function of deployment, not development. The
process varies depending on the platform, i.e. it's going to
be different in IBM WebSphere and BEA WebLogic.
What I was trying to show was how you could approach the
problem programmatically. You could even generalize it and
presume that for each currency provided as an argument to the
update method there exists a corresponding role called
CurrencyManager. So if you added support for the British
Pound the currency might be sterling so the derived role name
would be SterlingManager (met any of those? ;-) ).
So you check whether the caller is in the named role. If the
role doesn't exist then the user obviously cannot be in that
role.
Does this make sense?
I strongly suggest that you do some more reading on the
specifics of your deployment platform as well as the more
general concepts of role-based J2EE security.

 

[davout]

I see what you're trying to do but I don;t think is maintainable...

From your earlier code example...

if( currency.equals( "yen" ) &&
!ctx.isCallerInRole( "YenManager" ) ) {
throw( new CurrencyManagerException( "not in correct role" ) );
}
if( currency.equals( "dollar" ) &&
!ctx.isCallerInRole( "DollarManager" ) ) {
throw( new CurrencyManagerException( "not in correct role" ) );
}

The problem is that the range of supported currencies is hard coded into the
method. I'd have to change the code and deployment just to support a new
currency.

I'm wondering if it isn't better to apply an access control list type
solution to his area where I can have a subject (Currency) to which various
users and/or groups can gain access.

 

[Sudsy]

I see what you're trying to do but I don;t think is maintainable...

From your earlier code example...

if( currency.equals( "yen" ) &&
!ctx.isCallerInRole( "YenManager" ) ) {
throw( new CurrencyManagerException( "not in correct role" ) );
}
if( currency.equals( "dollar" ) &&
!ctx.isCallerInRole( "DollarManager" ) ) {
throw( new CurrencyManagerException( "not in correct role" ) );
}

The problem is that the range of supported currencies is hard coded into the
method. I'd have to change the code and deployment just to support a new
currency.

Which is why I suggested in my previous post that you make it generic.
Check this out:

public void update( String currency, ... ) throws CurrencyException {
// check for null or empty currency first, of course...
String roleName = Character.toUpperCase( currency.charAt( 0 ) ) +
currency.substring( 1 ) + "Manager";
if( ! ctx.isCallerInRole( roleName ) ) {
throw( new CurrencyManager( "not in correct role" );
}
}

Now you can add currencies and roles to your heart's content.