R
rocky.stevens
Hello,
I come from a .NET background, and am trying to port some security
code to Java/Jaas. In .NET, permissions are determined by calling
IPrincipal.IsInRole(string role). In Jaas, it looks like this is done
by seeing if the Subject has a principle with a name that equals the
given role. The thing is, I need to do lazy loading, i.e. I do not
want to hit my entitlement server unless I know the code is going to
need access to said roles. In .NET this was easily accomplished by
implementing IPrincipal, but in JAAS, it looks like you need to
populate all information you need at login. I cannot extend the
Subject class, as it is marked Final.
The only thing I can think of doing is to make a Principal class in
Java, giving *it* an IsInRole method, which would allow me to do lazy
loading as needed. However, this would not work if someone wanted to
do code level protections with a config file (i.e. because in the
config you can only specify access by principal name).
On a related note, it seems that Principal represents all kinds of
different things in the various examples I have seen. In some cases,
it represents a full-fledged identity (which is what I am thinking of
doing), in other cases it is just an arbitrary property of the use
(e.g. SSN), and in other cases it is an entitlement/role (e.g.
"Admin"). Are all three correct, or is there a definitive standard way
of using Principal?
Thanks,
Rocky
I come from a .NET background, and am trying to port some security
code to Java/Jaas. In .NET, permissions are determined by calling
IPrincipal.IsInRole(string role). In Jaas, it looks like this is done
by seeing if the Subject has a principle with a name that equals the
given role. The thing is, I need to do lazy loading, i.e. I do not
want to hit my entitlement server unless I know the code is going to
need access to said roles. In .NET this was easily accomplished by
implementing IPrincipal, but in JAAS, it looks like you need to
populate all information you need at login. I cannot extend the
Subject class, as it is marked Final.
The only thing I can think of doing is to make a Principal class in
Java, giving *it* an IsInRole method, which would allow me to do lazy
loading as needed. However, this would not work if someone wanted to
do code level protections with a config file (i.e. because in the
config you can only specify access by principal name).
On a related note, it seems that Principal represents all kinds of
different things in the various examples I have seen. In some cases,
it represents a full-fledged identity (which is what I am thinking of
doing), in other cases it is just an arbitrary property of the use
(e.g. SSN), and in other cases it is an entitlement/role (e.g.
"Admin"). Are all three correct, or is there a definitive standard way
of using Principal?
Thanks,
Rocky