add a proposal for a SecurityBindingType #6
Conversation
add a proposal for a SecurityBindingType
|
Just wondering how to categorize this example. It's an authorization example it seems, but is this an example of a CDI based "@RolesAllowed" (as proposed in https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-23), or is this closer to the "@EvaluateSecured" (as proposed in https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-7 see also https://github.com/javaee-security-spec/javaee-security-proposals/tree/master/el-authorization)? @dblevins Should be perhaps already start thinking about organization of this repo? A first level "authentication" and "authorization" perhaps? Then authentication organized in "mechanism" and "store" (even though we don't have a final term for that last one yet). At least make people a bit aware of what they are exactly demoing, and how it fits into the grand scheme of things? Maybe Rudy's mindmap and my diagram can be of help here too. |
|
Hi Arjan! The SecurityBindingType is neither Role nor Permission based actually. It allows for a flexible integration on whatever level your company needs. In fact I basically almost always had a mixture of roles and permissions to check for. Often they are also tenant specific! And sometimes there are multiple AND vs OR requirements as well. LieGrue, PS: if my mail doesn’t make it through to the spec list then plz forward it for me - txs!
|
|
Hi, On Wed, Mar 25, 2015 at 2:54 PM, Mark Struberg struberg@yahoo.de wrote:
I sounds good ;) How do you propose to position such annotation relative to (CDI based) And how would we explain to users the benefit of this annotation vs a Note, this is no criticism, just wondering how to fit this into the larger Kind regards,
|
Alex On 3/25/15 8:34 AM, Arjan Tijms wrote:
|
|
In my opinion @RolesAllowed is often not enough. The strict String[] role based mode is one of the reason EE-security is not used that often. In practice I almost always needed more. It is kind of a meta-framework and you can of course build @RolesAllowed as a @SecurityBindingType as well ;) It can be implemented via CDI - but also via Spring, etc.
LieGrue,
|
|
I added an alternative where you can use NamedPermissions, which is more fine grained then roles (like you can have implied permisions). see https://github.com/javaee-security-spec/javaee-security-proposals/tree/master/named-permissions. It defines @PermissionsRequired as counterpart for @RolesAllowed. |
|
Hi, On Friday, March 27, 2015, Rudy De Busscher notifications@github.com
Also, if we standardise group to role mapping, then a role will be actually Kind regards,
|
|
Hi, On Friday, March 27, 2015, Mark Struberg struberg@yahoo.de wrote:
I see it a bit different. My own opinion and that what I've heard from In other words, defining the authorization constraint is not the major IMHO, the major issue is the configuration of authentication stores (which Then there are various gaps, like the non-standardised role mapper and Of course it's great to have some modern or higher level features like That said, I do absolutely agree we should provide the "more" that you Kind regards,
|
|
Maybe not the location to discuss this (should be done at some point on the jsr375 mailing list) But the role and group thing, even standardised, doesn't include the implied Thing (read permission or whatever name) or hierarchical structure. or will it? If I have 1200 "Roles" in my application, I don't want to assign 1200 "Groups" to the User and have to define the mapping between them. (And I once had so it is real world situation) to be continued on the mailing list later on when we are further with the Role-Group mapping. |
|
Hi, On Friday, March 27, 2015, Rudy De Busscher notifications@github.com
Group to role mapping is many-to-many, typically one-to-many. One group can Kind regards,
|
At least for all the 0.2% JavaEE programmer who are using it ;)
I totally agree with you on this one. I still wonder why there is no portable way to register a LoginModule. Otoh once you have the auth activated then it’s most times just a matter of httpServletRequest.getRemoteUser() or getUserPrincipal(). Btw I personally feel that JASPIC is way too complicated and also too limited (n-factor authz missing, etc). But I’m no expert in that area. LieGrue, |
|
Hi, On Fri, Mar 27, 2015 at 6:00 PM, Mark Struberg notifications@github.com
It sure would be interesting to see what the numbers would approximately I can only tell you that a simple String[] was not enough for almost all
What I often saw is that there's a container specific or home grown Then URLs are protected by roles, and methods with @RolesAllowed if With JACC in the background you can "rather easily" (when you have JACC But the 2-level role hierarchy and the programmatic AND/OR/other gives you
Well, actually there is (more or less). JASPIC does define how JAAS This works to some degree (I know it's not perfect), but the next big And then the problem after that is that the default Servlet authentication I tried to sum up most of this here:
The SAM, which is the only thing a user should implement, is really not I provided an example a couple of times on the list (see and also too limited (n-factor authz missing, etc). But I’m no expert in
You mean like 2-factor authentication? I implemented a SAM using that here: Actually providing such a SAM by default might be more of a job of this EG. Kind regards,
|
|
Hi Mark,
Is there something we could standardize that the 99.8% of the other JavaEE programmers are using? ;) Regards, |
|
This is exactly the point for using an additional indirection with the @SecurityBindingType. @SecurityBindingType Means you can define your OWN set of data which you need to make a decision whether some action is allowed or not. Of course this internally might use some other framework like Shiro, PicketLink, etc. LieGrue,
|
I see how that can be useful, but I don't yet see what the Java EE security API can offer to support this, especially if the implementation of the user provided interceptor might use Shiro etc. Today a user can already define a custom interceptor, and a user can already use Shiro in that interceptor. Sorry if I missed something in your proposal. |
|
It would seem the interceptor proposed in https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-7 would offer more flexibility. Using EL in the interceptor would allow authorization rules to be based on a variable set of attributes referring to managed beans. Also, we could extend the interceptor to allow external storage of EL rules, for example in LDAP. I do have concerns about performance, processing EL per interceptor. But there may be optimizations. |
With SecurityBindingType you can easily add your own security logic as cross cutting concerns similar to CDI Interceptors.