| Subject | Re: [Firebird-Java] Best use of Roles with JayBird and WebApps, Was: How to specify RoleName in the JNDI resource? |
|---|---|
| Author | David Jencks |
| Post date | 2002-11-16T03:02:25Z |
I don't think roles in j2ee map well to roles in firebird because as I
understand it in j2ee a user has a set of roles whereas as it was explained
earlier in the thread firebird has one role per connection.
However, you might be interested in this jca capability:
In the jca framework (with container managed security, which is what you
want to use if possible, and definitely with ejbs), your app just gets a
connection from a datasource (ds.getConnection()) and the app server/jca
ConnectionManager figures out what user your app is running as, and
translates this into an appropriate database user, and then supplies you
with a connection logged in as that user (either from a pool or newly
created).
There are several possible meanings of "appropriate":
configured identity maps all app users to the same database user.
Caller identity maps the app user to themselves as database user.
Mapping identity lets you specify a mapping between the app user and db
user.
In JBoss, you specify which one of these you want by deploying a
LoginModule in the security framework, and specifying it in the datasource
configuration. You can write whatever rules you want in a LoginModule to
get whatever mapping you want. For instance, you could use an xml file, a
database table, or ldap.
Currently in jboss we supply login modules for configured identity and
caller identity: I'm hoping someone will contribue some mapping identity
modules.
For firebird, it would be possible to make a login module that included a
role in the login info supplied to the ManagedConnectionFactory, but I'm
not yet convinced it has any real advantage over just logging in as a
different user.
As far as I know tomcat does not include any jca deployment framework. You
could probably remove the ejb stuff from jboss + tomcat, leaving the
security framework and jca framework, and use this, but I certainly haven't
tried it.
david jencks
understand it in j2ee a user has a set of roles whereas as it was explained
earlier in the thread firebird has one role per connection.
However, you might be interested in this jca capability:
In the jca framework (with container managed security, which is what you
want to use if possible, and definitely with ejbs), your app just gets a
connection from a datasource (ds.getConnection()) and the app server/jca
ConnectionManager figures out what user your app is running as, and
translates this into an appropriate database user, and then supplies you
with a connection logged in as that user (either from a pool or newly
created).
There are several possible meanings of "appropriate":
configured identity maps all app users to the same database user.
Caller identity maps the app user to themselves as database user.
Mapping identity lets you specify a mapping between the app user and db
user.
In JBoss, you specify which one of these you want by deploying a
LoginModule in the security framework, and specifying it in the datasource
configuration. You can write whatever rules you want in a LoginModule to
get whatever mapping you want. For instance, you could use an xml file, a
database table, or ldap.
Currently in jboss we supply login modules for configured identity and
caller identity: I'm hoping someone will contribue some mapping identity
modules.
For firebird, it would be possible to make a login module that included a
role in the login info supplied to the ManagedConnectionFactory, but I'm
not yet convinced it has any real advantage over just logging in as a
different user.
As far as I know tomcat does not include any jca deployment framework. You
could probably remove the ejb stuff from jboss + tomcat, leaving the
security framework and jca framework, and use this, but I certainly haven't
tried it.
david jencks
On 2002.11.15 18:44:36 -0500 Rick Fincher wrote:
> Hi All,
>
> Sorry if this is drifting off topic but it is a question that's a little
> about JayBird, a little about Firebird, and a litttle about Tomcat (or
> your
> favorite servlet container/JSP server).
>
> > > I'm curious about the use of role based security for applications
> like
> this
> > > rather than name based.
>
> I didn't pose the question well. My question stems from the trouble I
> had
> converting a Java app originally using Interclient to a web app using
> JayBird.
>
> I guess a full blown J2EE server solves many of these problems. Perhaps
> someone with that kind of experiece with JayBird can comment?
>
> The Java app used direct user logins to the database in a local network.
> It
> also used a connection pool. You could use a pool there since all the db
> connections in any given use of the program were to the same user/role.
>
> To "webify" the app it wasn't practical for a lot of reasons to have the
> users log in with their db names, security being the most obvious.
>
> So we ended up using the typical single generic username for all database
> accesses and granting that user sufficient permissions to do anything to
> the
> tables and columns involved that any web user might ever need to do.
>
> Then we used the roles capability built into the JSP/Servlet spec (in
> Tomcat) to restrict access to certain web pages to specific users with
> certain Tomcat roles.
>
> This was good because it let us use roles with a connection pool, but it
> was
> bad because errors in Tomcat or our setup could allow users undesired
> access. It was also good from a security point of view since only Tomcat
> passwords are transferred across the net and they can be protected with
> SSL.
>
> To get even more fine grained and and provide access control on a
> record-by-record basis we put an "owner" and "group" field in each record
> and use program logic to implement permissions on records.
>
> The upshot of this is that Firebird Roles are not used at all or would
> only
> be useful for for gross access security.
>
> Andrew's question about using Firebird roles with JayBird and JNDI data
> sources got me wondering if it would be practical to have multiple data
> sources, each with a different Firebird role with each user only allowed
> to
> attach to the data source having a role appropriate to their permission
> level?
>
> That would allow Firebird to enforce access restrictions down to the
> table
> and column level.
>
> If you did this you would have to let Tomcat manage the pooling rather
> than
> JayBird because I don't think FBWrappingDataSource can connect with
> roles,
> can it? That is more in line with J2EE anyway.
>
> Would the web app be able to look up its create, modify, update, and
> delete
> permissions from one of the system tables of the db, or do the JayBird
> metadata extraction methods work well enough for this?
>
> If not you would have to put what the permissions are into each data
> source
> and keep that coherent with the database tables to prevent errors.
> Otherwise you would just have to let users try things they don't have
> permission to do and trap errors. That would be both annoying to the
> user
> and inefficient for the system.
>
> I guess a disadvantage of this would be that your web app would only work
> with other SQL databases that implement roles.
>
> Rck
>
>
> To unsubscribe from this group, send an email to:
> Firebird-Java-unsubscribe@yahoogroups.com
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
>
>