在Java EE服务器上动态角色 [英] dynamic roles on a Java EE server

问题描述

我要管理用户和角色在一个专用的应用程序。例如这个应用程序（customerX老板）的用户可以创建新的角色customerX员工。如果员工访问Java EE应用服务器（GlassFish中3），他应该得到的作用customerX员工。

I want to manage user and roles in a dedicated application. For example a user of this application ("customerX boss") can create a new role "customerX employee". If an employee accesses the Java EE application server (GlassFish 3) he should get the role "customerX employee".

这听起来很简单，但由于组在启动时映射到角色和应用程序中的角色是静态的它不被Java EE的支持。

It sounds simple, but it is not supported by Java EE, because groups are mapped to roles at start-up time and the roles within the application are static.

什么是在Java EE（6）环境中运行时管理用户角色的最佳方式？

What is the best way to manage user roles at runtime in a Java EE (6) environment?

推荐答案

在Java EE的声明式安全来说确实是不适合这样的要求。安全问题可一分为二：

The declarative security in Java EE is indeed no suited for such requirements. The problem of security can be split in two:

• 验证


• 授权

我有类似的要求一次。我们使用了内置的验证具有主体集，然后依靠默认的Java EE登录机制。但是，我们结束了在应用型级手动管理授权的一部分。

I had similar requirement once. We used the built-in authentication to have the principal set and relied then on the default Java EE login mechanisms. But we ended up managing the authorization part manually at the applicative-level.

事实上，即使是将被加载并与主要关联的角色（的isUserInRole 为Web和 isCallerInRole 对于EJB）需要 web.xml中指定或 ejb.xml 不提供足够的灵活性。我们必须然后手动加载角色（按照委托人）从LDAP或ActiveDirectory中。然后，我们使用EJB3拦截器和Servlet过滤器进行安全检查自己。

Indeed, even the roles that will be loaded and associated with the principal (isUserInRole for the web and isCallerInRole for the EJB) need to be specified in web.xml or ejb.xml which doesn't provide enough flexibility. We had then to load the roles manually (according to the principal) from LDAP or ActiveDirectory. We then used EJB3 interceptors and Servlet filter to perform the security checks ourselves.

我不过强烈建议坚持一个基于角色的访问控制（RBAC），并没有实现更多的东西花哨。有几个框架，可以帮助对付自制RBAC。

I would however strongly suggest to stick to a Role-based access control (RBAC) and not implement something more fancy. There are several frameworks that can help to deal with home-made RBAC.

我们也有一个看看 JSecurity 和的Acegi安全，他们似乎有趣。

We also had a look at JSecurity and Acegi Security and they seemed interesting.

这篇关于在Java EE服务器上动态角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！