J2EE Security - Allow if user is in ALL roles rather than ANY role?

Discussion in 'Java' started by David, Nov 10, 2004.

  1. David

    David Guest

    I am using J2EE security to restrict what roles are allowed to access
    certain URLs. ie 'Managers' and 'Buyer' are allowed to access
    '/viewdetails' but only 'Managers' are allowed to access '/delete'
    details.

    This is simple to acheive via the web.xml, but in effect what it is
    saying for '/viewdetails' is 'allow access if user is in EITHER of the
    roles.'

    ....what I need to be able to do (for a different more complex app) is
    restrict access to only people who are in BOTH roles.

    Is this possible?

    If so how?

    ....I thought it would be a simple case of including two security
    constraints, both for the same URI, but one including 'Managers' and
    the other including 'Buyers' and that a user would have to pass both
    security constraints to be allowed access - But this was still treated
    as an Either/Or.

    Does anyone know how to restrict access in this way?


    Thanks for any help!

    David Bevan

    http://www.davidbevan.co.uk
     
    David, Nov 10, 2004
    #1
    1. Advertising

  2. David

    Andy Flowers Guest

    Perhaps you could have a new role, ManagerBuyer and use that ?

    It may increase your admin overhead though.

    "David" <> wrote in message
    news:...
    >I am using J2EE security to restrict what roles are allowed to access
    > certain URLs. ie 'Managers' and 'Buyer' are allowed to access
    > '/viewdetails' but only 'Managers' are allowed to access '/delete'
    > details.
    >
    > This is simple to acheive via the web.xml, but in effect what it is
    > saying for '/viewdetails' is 'allow access if user is in EITHER of the
    > roles.'
    >
    > ...what I need to be able to do (for a different more complex app) is
    > restrict access to only people who are in BOTH roles.
    >
    > Is this possible?
    >
    > If so how?
    >
    > ...I thought it would be a simple case of including two security
    > constraints, both for the same URI, but one including 'Managers' and
    > the other including 'Buyers' and that a user would have to pass both
    > security constraints to be allowed access - But this was still treated
    > as an Either/Or.
    >
    > Does anyone know how to restrict access in this way?
    >
    >
    > Thanks for any help!
    >
    > David Bevan
    >
    > http://www.davidbevan.co.uk
     
    Andy Flowers, Nov 10, 2004
    #2
    1. Advertising

  3. David

    David Guest

    Thanks, but no, the actual application is a bit more complicated and
    actually uses a combination of three roles and the possible
    permutations of these three roles are over 3000!

    ....so not really practical - what im keeping my fingures crossed for
    is the ability to say 'role1 AND role2 AND role3' rather than the
    default of 'role1 OR role2 OR role3'

    Thanks

    David Bevan
    http://www.davidbevan.co.uk


    "Andy Flowers" <> wrote in message news:<d_nkd.78$>...
    > Perhaps you could have a new role, ManagerBuyer and use that ?
    >
    > It may increase your admin overhead though.
    >
    > "David" <> wrote in message
    > news:...
    > >I am using J2EE security to restrict what roles are allowed to access
    > > certain URLs. ie 'Managers' and 'Buyer' are allowed to access
    > > '/viewdetails' but only 'Managers' are allowed to access '/delete'
    > > details.
    > >
    > > This is simple to acheive via the web.xml, but in effect what it is
    > > saying for '/viewdetails' is 'allow access if user is in EITHER of the
    > > roles.'
    > >
    > > ...what I need to be able to do (for a different more complex app) is
    > > restrict access to only people who are in BOTH roles.
    > >
    > > Is this possible?
    > >
    > > If so how?
    > >
    > > ...I thought it would be a simple case of including two security
    > > constraints, both for the same URI, but one including 'Managers' and
    > > the other including 'Buyers' and that a user would have to pass both
    > > security constraints to be allowed access - But this was still treated
    > > as an Either/Or.
    > >
    > > Does anyone know how to restrict access in this way?
    > >
    > >
    > > Thanks for any help!
    > >
    > > David Bevan
    > >
    > > http://www.davidbevan.co.uk
     
    David, Nov 10, 2004
    #3
  4. Re: J2EE Security - Allow if user is in ALL roles rather than ANYrole?

    David wrote:

    > Thanks, but no, the actual application is a bit more complicated and
    > actually uses a combination of three roles and the possible
    > permutations of these three roles are over 3000!
    >
    > ...so not really practical - what im keeping my fingures crossed for
    > is the ability to say 'role1 AND role2 AND role3' rather than the
    > default of 'role1 OR role2 OR role3'


    It sounds to me like you need to refactor your roles. In other words,
    Andy was basically right. You shouldn't need to have a new role for
    every possible combination of your existing roles, however; in fact you
    probably need very few additional roles if you are defining roles
    appropriately in the first place. You may also find that it makes sense
    to break up some of your existing roles into several roles of narrower
    scope.

    In any case, the kind of AND condition you describe is not in the spirit
    of role-based security. Indeed, some of your comments make me suspect
    that you are trying to adapt the J2EE role-based security model to an
    application security design that isn't really role-based. If you'd like
    to give more detail about your design then perhaps you'll get some
    useful information back.


    John Bollinger
     
    John C. Bollinger, Nov 10, 2004
    #4
  5. David

    Sudsy Guest

    Re: J2EE Security - Allow if user is in ALL roles rather than ANYrole?

    John C. Bollinger wrote:
    > David wrote:

    <snip>
    > In any case, the kind of AND condition you describe is not in the spirit
    > of role-based security. Indeed, some of your comments make me suspect
    > that you are trying to adapt the J2EE role-based security model to an
    > application security design that isn't really role-based. If you'd like
    > to give more detail about your design then perhaps you'll get some
    > useful information back.


    John is correct. Your roles should be constructed in the same manner as
    your classes, namely hierarchically. Someone with a particular role
    designation should have all the privileges of subservient roles PLUS
    powers specific to the specified role.
    This is fairly standard and can be found even in M$ NT: an Administrator
    role can install an application accessible to all users while an ordinary
    user can only install apps for their own use.
    Heck, in Oracle there are separate sys and system user ids...
    Arrange your roles appropriately and you shouldn't need to apply logical
    operators to determine what permissions should be granted.
    YMMV

    --
    Java/J2EE/JSP/Struts/Tiles/C/UNIX consulting and remote development.
     
    Sudsy, Nov 10, 2004
    #5
  6. David

    David Guest

    Let me explain a bit more about my specific problem. Basically I am
    using a custom registry to hook J2EE security into a predefined
    security structure.

    In this predefined registry users are in branches, they are members of
    a group and they are in departments. Applications need to restrict
    access based on all three.

    ....ie a central pay application might be restricted to only HR staff
    who have manager authority and are in the head office (ie branch 999)
    so the security constraint would be "user is in Branch 999 AND dept HR
    AND group Manager"

    The only way this could be included as 1 role would be to create a
    role of "999_HR_Manager"

    ....but some users are in all branches and several departments so in
    effect if we combine roles like this they are in several thousand
    roles!

    So if theres no way to AND roles then im a bit stuck!


    David Bevan

    http://www.davidbevan.co.uk


    "John C. Bollinger" <> wrote in message news:<cmu5ij$t3h$>...
    > David wrote:
    >
    > > Thanks, but no, the actual application is a bit more complicated and
    > > actually uses a combination of three roles and the possible
    > > permutations of these three roles are over 3000!
    > >
    > > ...so not really practical - what im keeping my fingures crossed for
    > > is the ability to say 'role1 AND role2 AND role3' rather than the
    > > default of 'role1 OR role2 OR role3'

    >
    > It sounds to me like you need to refactor your roles. In other words,
    > Andy was basically right. You shouldn't need to have a new role for
    > every possible combination of your existing roles, however; in fact you
    > probably need very few additional roles if you are defining roles
    > appropriately in the first place. You may also find that it makes sense
    > to break up some of your existing roles into several roles of narrower
    > scope.
    >
    > In any case, the kind of AND condition you describe is not in the spirit
    > of role-based security. Indeed, some of your comments make me suspect
    > that you are trying to adapt the J2EE role-based security model to an
    > application security design that isn't really role-based. If you'd like
    > to give more detail about your design then perhaps you'll get some
    > useful information back.
    >
    >
    > John Bollinger
    >
     
    David, Nov 11, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,244
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    538
    Liet Kynes
    Nov 26, 2003
  3. Replies:
    0
    Views:
    607
  4. Kursat
    Replies:
    1
    Views:
    341
    Dominick Baier
    May 7, 2007
  5. Bob Sanders
    Replies:
    6
    Views:
    225
    Jacob Basham
    Nov 10, 2007
Loading...

Share This Page