Need role based access on a DAO

Discussion in 'Java' started by pramodr, Jul 23, 2009.

  1. pramodr

    pramodr Guest

    Hi group,

    I have a design problem described as follows.

    I have a simple application which I need to make secure, which
    currently is not. I am planning to implement security at the DAO
    level. For instance I have a DAO, say AuditScheduleDAO which requires
    a role based access. A user with role admin can add/modify/view an
    AuditSchedule in the DB (Postgres db) thru the DAO. However the admin
    cannot delete it, which could be done only by the superAdmin.

    Similarly I have a two more other roles - auditor (add/view only) ,
    user (view only)

    What could be the best design possible ? I use struts as front end
    and tomcat 5.5 server. I am planning to implement JAAS security and
    <security-constraint> defined in web.xml to protect the urls whichever
    are not accessible, however I cannot use <security-constraint> for
    role based access of java objects.

    Any suggestions ?

    regards
    Pramod Ramachandran
    pramodr, Jul 23, 2009
    #1
    1. Advertising

  2. hello,

    You could proxy over/ wrap the dao interface (proxy pattern) to control
    access to it i.e add security so this proxy can be attached without
    modifying the concrete dao implementations to add the security concern.

    You could have a look at Spring but I would bet it is not far from this
    concept.

    Sorry for not elaborating more ... responding from iPhone now :)

    HTH,
    Giovanni
    Giovanni Azua, Jul 23, 2009
    #2
    1. Advertising

  3. pramodr

    Arne Vajhøj Guest

    pramodr wrote:
    > I have a design problem described as follows.
    >
    > I have a simple application which I need to make secure, which
    > currently is not. I am planning to implement security at the DAO
    > level. For instance I have a DAO, say AuditScheduleDAO which requires
    > a role based access. A user with role admin can add/modify/view an
    > AuditSchedule in the DB (Postgres db) thru the DAO. However the admin
    > cannot delete it, which could be done only by the superAdmin.
    >
    > Similarly I have a two more other roles - auditor (add/view only) ,
    > user (view only)
    >
    > What could be the best design possible ? I use struts as front end
    > and tomcat 5.5 server. I am planning to implement JAAS security and
    > <security-constraint> defined in web.xml to protect the urls whichever
    > are not accessible, however I cannot use <security-constraint> for
    > role based access of java objects.
    >
    > Any suggestions ?


    I am skeptical about the approach. I believe that the security
    should be implemented in the business logic layer not in the
    data access layer.

    I would find it very tempting to use AOP for this. More
    specifically AspectJ.

    Arne
    Arne Vajhøj, Jul 24, 2009
    #3
  4. pramodr

    pramodr Guest

    On Jul 24, 6:23 am, Arne Vajhøj <> wrote:
    > pramodr wrote:
    > > I have a design problem described as follows.

    >
    > > I have a simple application which I need to make secure, which
    > > currently is not. I am planning to implement security at the DAO
    > > level. For instance I have a DAO, say AuditScheduleDAO which requires
    > > a role based access. A user with role admin can add/modify/view an
    > > AuditSchedule in the DB (Postgres db) thru the DAO. However the admin
    > > cannot delete it, which could be done only by the superAdmin.

    >
    > > Similarly I have a two more other roles - auditor (add/view only) ,
    > > user (view only)

    >
    > > What could be the best design possible ?  I use struts as front end
    > > and tomcat 5.5 server. I am planning to implement JAAS security and
    > > <security-constraint> defined in web.xml to protect the urls whichever
    > > are not accessible, however I cannot use <security-constraint> for
    > > role based access of java objects.

    >
    > > Any suggestions ?

    >
    > I am skeptical about the approach. I believe that the security
    > should be implemented in the business logic layer not in the
    > data access layer.
    >
    > I would find it very tempting to use AOP for this. More
    > specifically AspectJ.
    >
    > Arne- Hide quoted text -
    >
    > - Show quoted text -



    Thanks but I still dont not know if JAAS could be used to protect a
    method inside a class. I heard that JAAS could be used to protect
    codebase (jar/classes) from unauthorised access. Not sure how to apply
    security at the method level.
    pramodr, Jul 24, 2009
    #4
  5. pramodr

    Arne Vajhøj Guest

    pramodr wrote:
    > On Jul 24, 6:23 am, Arne Vajhøj <> wrote:
    >> pramodr wrote:
    >>> I have a design problem described as follows.
    >>> I have a simple application which I need to make secure, which
    >>> currently is not. I am planning to implement security at the DAO
    >>> level. For instance I have a DAO, say AuditScheduleDAO which requires
    >>> a role based access. A user with role admin can add/modify/view an
    >>> AuditSchedule in the DB (Postgres db) thru the DAO. However the admin
    >>> cannot delete it, which could be done only by the superAdmin.
    >>> Similarly I have a two more other roles - auditor (add/view only) ,
    >>> user (view only)
    >>> What could be the best design possible ? I use struts as front end
    >>> and tomcat 5.5 server. I am planning to implement JAAS security and
    >>> <security-constraint> defined in web.xml to protect the urls whichever
    >>> are not accessible, however I cannot use <security-constraint> for
    >>> role based access of java objects.
    >>> Any suggestions ?

    >> I am skeptical about the approach. I believe that the security
    >> should be implemented in the business logic layer not in the
    >> data access layer.
    >>
    >> I would find it very tempting to use AOP for this. More
    >> specifically AspectJ.

    >
    > Thanks but I still dont not know if JAAS could be used to protect a
    > method inside a class. I heard that JAAS could be used to protect
    > codebase (jar/classes) from unauthorised access. Not sure how to apply
    > security at the method level.


    I can not see why JAAS could not be used to protect the method
    call. JAAS can check any permission anywhere in the code.

    (as far as I remember - it is a long time since I have used JAAS)

    Arne
    Arne Vajhøj, Jul 25, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,107
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    492
    Liet Kynes
    Nov 26, 2003
  3. Replies:
    1
    Views:
    3,316
  4. gk

    role based access

    gk, Feb 8, 2006, in forum: Java
    Replies:
    5
    Views:
    742
    Roedy Green
    Feb 9, 2006
  5. Kursat
    Replies:
    1
    Views:
    315
    Dominick Baier
    May 7, 2007
Loading...

Share This Page