looking for a solution

[Karolski]

Hello All,
This is my first post here, so please, be patient.
It's all about j2ee technology.
I'm working on some kind of two-level
authorization. Let me explain.
The webbrowser would be a client.
- There are some applications, which are working
with the database (app1, app2, app3...appN)
- there are users (user1, user2, user3... userM)
- any single user belongs to a group (or groups)
(group1, group2, group3... groupO)
- any single group has access to a different set
of application, i.e
group2 has access to a app1, app2, app7 (so users
belongs to that group have access to app1, app2, app7)
group5 has access to a app2, app10, app12
All information (including login and passwd) about
users are stored in a database. I would like to
have a web-interface, where users can log in
(giving their password and login). If the login
would be correct, the user will see applications,
which are available to him. This part would be
created with simple session objects. Next, I have
to protect those applications, so no other could
use it. First thought was to protect it with,for
example, basic-auth. This is very comfortable for
people developing that apps, becouse it is very
simple to protect that apps with basic-auth using
Deploytool (we are using Sun Java ONE App Server).
But, on the other hand, users should know many
logins and passwords. I'm wondering if there is a
better solution for that.
Thanks in advance for all ideas.

greetings,
Karolski

 

[Tom Dyess]

Hello All,
This is my first post here, so please, be patient.
It's all about j2ee technology.
I'm working on some kind of two-level authorization. Let me explain.
The webbrowser would be a client.
- There are some applications, which are working with the database (app1,
app2, app3...appN)
- there are users (user1, user2, user3... userM)
- any single user belongs to a group (or groups) (group1, group2,
group3... groupO)
- any single group has access to a different set of application, i.e
group2 has access to a app1, app2, app7 (so users belongs to that group
have access to app1, app2, app7)
group5 has access to a app2, app10, app12
All information (including login and passwd) about users are stored in a
database. I would like to have a web-interface, where users can log in
(giving their password and login). If the login would be correct, the user
will see applications, which are available to him. This part would be
created with simple session objects. Next, I have to protect those
applications, so no other could use it. First thought was to protect it
with,for example, basic-auth. This is very comfortable for people
developing that apps, becouse it is very simple to protect that apps with
basic-auth using Deploytool (we are using Sun Java ONE App Server). But,
on the other hand, users should know many logins and passwords. I'm
wondering if there is a better solution for that.
Thanks in advance for all ideas.

greetings,
Karolski

As far as security keys and web development go, I have a table of logins
with various permissions.You can have a group table that is similar. Here is
the structure of my table (Oracle). Every time a user wants to access a
potentially restricted area of the site, I do a check on his "keys". In this
example, I have a specific set of keys which are represented as columns. You
can create a separate permissions table that joins the user table on lgn_id
which what keys that particular user has, I just prefered to flatten
(denormalize) in this particular instance. Personally, I don't like third
party login authenticators, I like controlling it in the application.

Name Type Nullable Default Comments
-------------------- ------------- -------- ------- --------
LGN_ID VARCHAR2(50)
LGN_PASSWORD VARCHAR2(50)
USR_EMAIL VARCHAR2(250) Y
LGN_FULL_NAME VARCHAR2(150) Y
LGN_DESC VARCHAR2(150) Y
LGN_IS_CONFIG_ADMIN NUMBER Y 0
LGN_IS_CAT_ADMIN NUMBER Y 0
LGN_IS_LINK_ADMIN NUMBER Y 0
LGN_IS_COMMENT_ADMIN NUMBER Y 0
LGN_IS_ACCESS_ADMIN NUMBER Y 0
LGN_IS_BANNER_ADMIN NUMBER Y 0
LGN_IS_KEYWORD_ADMIN NUMBER Y 0
LGN_IS_ASSOC_ADMIN NUMBER Y 0
LGN_IS_REPORT_VIEW NUMBER Y 0
LGN_ACTIVE NUMBER Y

 

[Karolski]

As far as security keys and web development go, I have a table of logins
with various permissions.You can have a group table that is similar. Here is
the structure of my table (Oracle). Every time a user wants to access a
potentially restricted area of the site, I do a check on his "keys". In this
example, I have a specific set of keys which are represented as columns. You
can create a separate permissions table that joins the user table on lgn_id
which what keys that particular user has, I just prefered to flatten
(denormalize) in this particular instance. Personally, I don't like third
party login authenticators, I like controlling it in the application.

Yes, this could be ok, but I still have to carry
about the session. I have to compare user's login
and password stored into a session with perms. in
database. But thanks for advice Maybe it is
good idea?...

Karolski