[jboss-user] [Security & JAAS/JBoss] - Rich Client Authorisation and JAAS

[pdrummond]

Hi,

I am trying to learn how JBoss security and JAAS would work together within my application which will be a Rich Client communicating with EJBs in JBoss (EJB3).  I am new to JavaEE so I apologise in advance if I use the wrong terminology or don't explain the problem very well. (BTW: should I be posting to the newbie forum?)

I understand that my rich client can use JAAS to login to a JBoss application server using a LoginModule.  Once the user is authenticated then it is possible to use security roles in the EJB code to ensure proper authorisation like this:

  | if(ctx.isCallerInRole("admin")) {
  |     //access resource
  | }
  | 
What I also need is similar code in the Rich Client.  As a simple example I want to enable a "Admin" menu if the user is in the admin role.  I assume I must use JAAS directly here - doAsPriliveged() maybe?  Even if doAsPrivileged() is the correct way to do it, due to the following article (http://today.java.net/pub/a/today/2006/09/14/using-jaas-in-ee-and-soa.html) I am concerned that there will be unmanageable inconsistencies.

Given my requirements and the concerns regarding JAAS and JavaEE integration maybe a custom authorization mechanism would be better?

At the moment, I am very confused about how JAAS and JavaEE integrate together.  I would be able to answer some of these questions myself by prototyping my scenario but my company isn't at that stage yet and I need to provide some words on this!  Any help would be appreciated.

Thank you,
Paul Drummond

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3973223#3973223

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3973223