Reputation: 4606
Access Control List (ACL) for EJB
Is there any ACL solution for controlling Domain Object data access in JAAS controlled EJB ?
In Spring security ACL this aspect is implemented. An API needed for ACL the domain object with JavaEE, or an integration solution for Spring Security and JAAS.
Upvotes: 0
Views: 446
Answers (1)
Reputation: 13834
I am not sure access control lists would be enough. You need to look at a role-based system (RBAC) or an attribute-based access control system (ABAC).
You can then call out from the EJB: Can my user access this domain object?, get a Yes/No back and enforce it.
Here are your options - Spring Security implements RBAC. - XACML implements ABAC. There are several implementations of XACML available (both open-source and vendor such as the one I work for, Axiomatics.).
If you want background information on access control models, you can have a look at the following:
- role-based access control: wikipedia | NIST project page
- attribute-based access control: wikipedia | NIST project page
Upvotes: 1
Related Questions
- Spring Security Acl object
- Access Control in Java EE
- Access Control-j2ee
- How do you preform an EJB lookup with application security?
- Does Java EE security model support ACL?
- ejb Security questions regarding Roles and Authentication
- is there a java library for dealing with access control list?
- Good ACL implementation in Java
- How to implement Administrator rights in Java Application?
- Spring Security with EJBs