J2EE Security - Allow if user is in ALL roles rather than ANY role?

[David]

I am using J2EE security to restrict what roles are allowed to access
certain URLs. ie 'Managers' and 'Buyer' are allowed to access
'/viewdetails' but only 'Managers' are allowed to access '/delete'
details.

This is simple to acheive via the web.xml, but in effect what it is
saying for '/viewdetails' is 'allow access if user is in EITHER of the
roles.'

....what I need to be able to do (for a different more complex app) is
restrict access to only people who are in BOTH roles.

Is this possible?

If so how?

....I thought it would be a simple case of including two security
constraints, both for the same URI, but one including 'Managers' and
the other including 'Buyers' and that a user would have to pass both
security constraints to be allowed access - But this was still treated
as an Either/Or.

Does anyone know how to restrict access in this way?


Thanks for any help!

David Bevan

http://www.davidbevan.co.uk

 

[Andy Flowers]

Perhaps you could have a new role, ManagerBuyer and use that ?

It may increase your admin overhead though.

 

[David]

Thanks, but no, the actual application is a bit more complicated and
actually uses a combination of three roles and the possible
permutations of these three roles are over 3000!

....so not really practical - what im keeping my fingures crossed for
is the ability to say 'role1 AND role2 AND role3' rather than the
default of 'role1 OR role2 OR role3'

Thanks

David Bevan
http://www.davidbevan.co.uk

 

[John C. Bollinger]

Thanks, but no, the actual application is a bit more complicated and
actually uses a combination of three roles and the possible
permutations of these three roles are over 3000!

...so not really practical - what im keeping my fingures crossed for
is the ability to say 'role1 AND role2 AND role3' rather than the
default of 'role1 OR role2 OR role3'

It sounds to me like you need to refactor your roles. In other words,
Andy was basically right. You shouldn't need to have a new role for
every possible combination of your existing roles, however; in fact you
probably need very few additional roles if you are defining roles
appropriately in the first place. You may also find that it makes sense
to break up some of your existing roles into several roles of narrower
scope.

In any case, the kind of AND condition you describe is not in the spirit
of role-based security. Indeed, some of your comments make me suspect
that you are trying to adapt the J2EE role-based security model to an
application security design that isn't really role-based. If you'd like
to give more detail about your design then perhaps you'll get some
useful information back.


John Bollinger
(e-mail address removed)

 

[Sudsy]

David wrote:

In any case, the kind of AND condition you describe is not in the spirit
of role-based security. Indeed, some of your comments make me suspect
that you are trying to adapt the J2EE role-based security model to an
application security design that isn't really role-based. If you'd like
to give more detail about your design then perhaps you'll get some
useful information back.

John is correct. Your roles should be constructed in the same manner as
your classes, namely hierarchically. Someone with a particular role
designation should have all the privileges of subservient roles PLUS
powers specific to the specified role.
This is fairly standard and can be found even in M$ NT: an Administrator
role can install an application accessible to all users while an ordinary
user can only install apps for their own use.
Heck, in Oracle there are separate sys and system user ids...
Arrange your roles appropriately and you shouldn't need to apply logical
operators to determine what permissions should be granted.
YMMV

 

[David]

Let me explain a bit more about my specific problem. Basically I am
using a custom registry to hook J2EE security into a predefined
security structure.

In this predefined registry users are in branches, they are members of
a group and they are in departments. Applications need to restrict
access based on all three.

....ie a central pay application might be restricted to only HR staff
who have manager authority and are in the head office (ie branch 999)
so the security constraint would be "user is in Branch 999 AND dept HR
AND group Manager"

The only way this could be included as 1 role would be to create a
role of "999_HR_Manager"

....but some users are in all branches and several departments so in
effect if we combine roles like this they are in several thousand
roles!

So if theres no way to AND roles then im a bit stuck!


David Bevan

http://www.davidbevan.co.uk