1

I have a Java program involving several users who need to have different privileges. I currently have a class with basic CRUD methods; each of which requires that the current user has permission to call that method. For example, a user may have permission to call the "update" and "create" methods, but not "delete". All users have the ability to call the "read" method.

I'd like to give each user some arbitrary combination of permissions to use methods, so I think each method should check the users permission. However, what's the best way to do this? Should the user object be passed as a parameter into the methods each time they're called, or is there a better way? I've taken a look at the SecurityManager class in Java, but it appears to be targeted towards applets and file-system privileges (neither of which are applicable in my case). Is that correct, or have I missed something here?

Micheal Hill
  • 1,619
  • 2
  • 17
  • 38
  • 2
    Sounds like you want to use [`Acl`](http://docs.oracle.com/javase/7/docs/api/java/security/acl/Acl.html) and [JAAS](http://stackoverflow.com/questions/628416/jaas-for-human-beings). Possibly with integration to [LDAP](http://docs.oracle.com/javase/jndi/tutorial/ldap/security/ldap.html) or [Kerberos](http://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html). In short, yes... Java has mechanisms that support what you want. No, `SecurityManager` isn't one of them. – Elliott Frisch Jan 28 '15 at 03:02
  • Checkout http://www.jaasbook.com/ its a free book that I read a while back. Not sure if its outdated though – Can't Tell Jan 28 '15 at 04:09
  • You might want Spring Security or Apache Shiro. – chrylis -cautiouslyoptimistic- Jan 28 '15 at 04:13

1 Answers1

2

Yes, you're looking for the java.security and javax.security.auth packages.

Basically what this framework gives you is a generic representation of principals (entities that can be authenticated; user or group), credentials (passwords, access keys, certificates), and permissions (aka permission sets or Access Control Lists).

But honestly this framework tends to complicate matters. IMO the only worthwhile convenience it provides is attaching security context to a thread using Subject.doAs().

The basic gist of authentication is making sure someone is who they claim to be, and the basic gist of authorization is to let someone do only what they're allowed.

If you already have your own representations of users, passwords and permissions, I'd recommend you keep it simple. All you need to do is stash the user's ID and permissions as a single object in their session attributes and make this information available to your application's business logic for checking permissions (by passing as a parameter). It's simple, it's explicit, and it's highly testable.

gknicker
  • 5,509
  • 2
  • 25
  • 41