yet another ACL question

Don Dwoske (ddwoske@evergreen-funds.com)
Thu, 24 Jun 1999 14:38:27 -0400

Date: Thu, 24 Jun 1999 14:38:27 -0400
From: Don Dwoske <ddwoske@evergreen-funds.com>
To: java-security@java.sun.com
Subject: yet another ACL question

I've scoured the sun site, and the security archives,
and every time this question comes up, there has not been
an answer that has helped me, so I'll ask again. This
is sort of long, because I want to be clear.

I hear that the new Java 2 security features based on
Permission, and BasicPermission are supposed to supercede
what the java.security.acl package does, but I don't see
how. They seem to be designed for different things.

The java.security.acl package can be used nicely when there
are multiple users of the same program. Such as in a web
based system, when a servlet may execute and need to determine
if a user has permission to look at certain data in
a database based on java.security.acl.Permissions and
Group privileges as well.

This is very useful for organizing access control to certain
objects, by placing users in groups that have been given
certain privileges.

I don't see how this is done in Java 2, and how the User
can be placed in multiple groups, or how many users can
be using the same system at the same time with their own
identities.

In this scenerio, how would I use Java 2 to accomplish what
I want to do:

o A user logs into a website using basic authentication of
a username/password
o That user does a few things on the site, then executes
a servlet that will access a database
o Based on the users identity (from HTTP_USER, or from stored
session information), the servlet will deny or allow
access to that database information.

How does the servlet decide this information for that specific
user using Java 2?

For example, user Joe is in the Administrator group, so
he can view audit logging information, which Jane in the
Users group cannot see. They both may execute this servlet,
using a username and password to authenticate. How does
the servlet figure out which groups my user is in, and
allow or deny access to this data in my database.

I would also like to store this ACL information, along
with my user and group information, in my own database.

With java.security.acl, I can create an access control
list for that piece of data, and then give certain
Principals access to it. I don't see how to do that
in Java 2 in the above scenerio by extending Permission.
How do I use it for different users, and groups?

Thanks for any help,

Don

-- 
----------------------------------------------------------
Don Dwoske                    mailto:ddwoske@geocities.com
Software Developer      http://www.ccs.neu.edu/home/dwoske
 "I had a Golgafrinchan jogging towel," continued Arthur,
   "it was blue with yellow stars on it. This isn't it."
----------------------------------------------------------