Labels

.NET Job Questions About Java Absract class Abstract class Abstract Class and Interface Aggregation ajax aop apache ofbiz Apache ofbiz tutrial Association authentication autocad basics batch Binary Tree bootstrap loader in java build Builder design pattern C++ Job Questions caching CallableStatement in java certifications Chain of responsibility Design pattern charts check parentheses in a string Classes classloader in java classloading concept code quality collage level java program Composition concurrency Concurrency Tutorial Converting InputStream to String Core Java core java concept core java interview questions Core Java Interview Questions Core Java Questions core java tutorial CyclicBarrier in Java data structures database Database Job Questions datetime in c# DB Db2 SQL Replication deserialization in java Design Patterns designpatterns Downloads dtd Eclipse ejb example/sample code exception handling in core java file handling injava File I/O vs Memory-Mapped Filter first program in spring flex Garbage Collection Generics concept in java grails groovy and grails Guice Heap hibernate Hibernate Interview Questions how-to IBM DB2 IBM DB2 Tutorial ide immutable Interceptor Interface interview Interview Questions for Advanced JAVA investment bank j2ee java JAVA Code Examples Java 7 java changes java class loading JAVA Classes and Objects Java Classloader concept Java classloading concept java cloning concept java collection Java collection interview questions Java Collections java concurrency Java CountDownLatch java definiton Java design pattern Java EE 5 Java EE 6 Java Exceptions Java file Java Garbage Collection Java generics Java Glossary java hot concept java immutable concept Java Interface Java interview Question java interview question 2012 java interview question answer Java Interview Questions Java Interview Questions and Answers java interview topic java investment bank Java Job Questions java multithreading java multithreading concept java new features Java Packages java proxy object java questions Java Serialization Java serialization concept java serialization interview question java session concept java string Java Swings Questions java synchronization java threading Java Threads Questions java tutorial java util; java collections; java questions java volatile java volatile interview question Java Wrapper Classes java.java1.5 java.lang.ClassCastException JavaNotes javascript JAX-WS jdbc JDBC JDBC Database connection jdk 1.5 features JDK 1.5 new features Concurrent HashMap JMS interview question JMS tutorial job JSESSIONID concept JSESSIONID interview Question JSF jsp JSP Interview Question JSP taglib JSTL with JSP Junit Junit Concept Junit interview question.Best Practices to write JUnit test cases in Java JVM Linux - Unix tutorial Marker Interfaces MD5 encryption and decryption messaging MNC software java interview question musix NCR java interview question Networking Job Questions news Object Serialization Objects ojdbc14.jar OOP Oracle Oracle SQL Query for two timestamp difference orm own JavaScript function call in Apache ofbiz Packages Palm Apps patterns pdf persistence Portal Portlet Spring Integration Prime number test in java programs Rails Reboot remote computers REST Ruby Sample application schema SCJP security Senior java developer interviews servlet3 servlets session tracking singleton design pattern Spring Spring 2.5 Framework spring ebook Spring framework concept spring MVC spring pdf Spring Security Spring Security interview questions SQL SQL performance SQL Query to create xml file Sql Query tuning ssis and ssrs StAX and XML string concept string immutable string in java strings struts Struts2 Struts2 integration synchronization works in java Technical Interview testing tips Tomcat top Tutorial Volatile in deep Volatile working concept web Web Developer Job Questions web services weblogic Weblogic Application Server websphere what is JSESSIONID xml XML parsing in java XML with Java xslt


Sunday, 21 July 2013

Authorization in JEE

Most articles on JAAS seem to be centered on Authentication, and having a byline on Authorization, or none at all. Refer to All that JAAS as an example. This is not a criticism of that article, it just shows how Authorization is ignored in most discussions on application security. You will notice this mostly when you try to explain to managers that User Interface Optimization is not a part of authorization or when you try to explain someone what "Instance based Authorization" means. So, it is refreshing to see a new article on Application Authorization alone. The new article on Developerworks titled "Authorization concepts and solutions for J2EE applications" discusses few basic authorization patterns and the state of authorization technology in the Java EE space. Here is a brief summary:

Authorization Patterns
  • Role based authorization: Role-based authorization provides access to resources based on the fact that the user is assigned a Role in the application. A "Role" can be defined as a class of users with similar access to the application's functionality. Roles are determined based on a user's group memberships as defined in a user registry. This type of authorization is the standard of the JEE world. It is a coarse-grained form of access control generally defined by URLs or EJB method calls, as defined in the Web and EJB deployment descriptors, or by the use of the getCallerPrincipal() and isCallerInRole() methods available in EJBContext. It is important to note that a Role is different from Groups defined in a User registry. A role is defined by the application functionality, while a group is defined by the organizational hierarchy.
  • Instance based Authorization: This pattern provides a more granular level of authorization than is typically provided by J2EE role-based authorization, getting down to the level of an individual object (an particular instance of an EJB, so to speak) within a system. In this case, we are controlling access based on the EJB methods invoked, as well as the arguments passed to them. Instance-based authorization typically protects instances using access control lists (ACLs), which are stored in some type of policy store and can be used to make access decisions. The best way to implement this type solution is through the use of an external security manager, such as IBM's Tivoli Access Manager.
  • Ownership relationships: It is a specific case of the instance-based pattern where there is an owner relationship within the data structures of the application between the user and some other protected data. This typically means that the authorization rules have to be embedded into the data access logic of the application itself. One such example would be to present a user with a list of results that are owned by him. In such cases, a the request to the database must contain the user information for filtering the results. Filtering results in the application is inefficient, particulary when results are shown in multiple pages, in which case a single page display may require multiple requests to database. Stored procedures may be optimal places to apply authorization rules for some applications.
  • User Interface customization: The dynamic modification of a user interface to only show actions that the user is entitled to perform is often regarded as an aspect of authorization. But is does not constitute authorization as a whole, since web requests can be modified at the client side too.
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

LinkWithin

Related Posts Plugin for WordPress, Blogger...