Wednesday, September 23, 2009

JAAS on a web control level

  JAAS is a very commonly used standard for Security in J2EE applications. Using JAAS in a web appliction is requiring the following:
  1.  Defining set of Roles for the application (web.xml).
  2.  Defining Security conistraints for every application resource (web.xml).
  3.  Wiring your application to the security module provided by the container (the application server ) like JBoss (jboss-web.xml).
 As noticed from the above configurations, the security constraints are applied over the whole resource; a page for example. In practical applications, the page may be a mix of controls that have a different role based functionality. For example, a page my have controls that is visible to normal user. Other controls will be only visible to a moderators, while the rest are only visible to super/admin users.

 This mix of different controls make it impossible to choose which role to be applied on the whole page. The solution for such case will be either splitting the controls over different resources and using the appropriate Role with it. The Second solution is to make a very low level access role on the resource (Normal Users) and then using java coding you can show and hide controls based on the principal user.

 jspx provides a very easy solution for such problem. Every control in jspx is exposing a non-Standard HTML attribute named AllowedRoles . The value of this attribute is a String. This attribute is listing the allowed roles which is cabaple of viewing the control and firing events.

 jspx security features are first introduced in build 1.0.4 along with many other security features that listed here.

 Assume that there is a button on page that is resetting the password of the user. This button should be allowed only to users of type admin and super. While the whole page is viewable to normal users, they can not view nor invoke such control.
  Using standard JAAS will not solve this issue. But using jspx the solution is simply as following:

<input   id="resetPAsswrodButton" type="button" onserverclick="doReset" value="reset password" alloweRoles="admin,super" />

The highlighted attribute lists the rolles allowed separated with comma. When jspx parses this control it does the following two actions:
  1. Renders the control if the current principle in one of the listed roles, else the control is not rendered.
  2. In case of post back action fired by this control, another check is made to make sure that the current principle is allowed to fire the event, else the event is dropped.
The value of this attribute can be set * to allow all roles to access the control, this would be like this
<input id="loginButton" type="button" onserverclick="doLogin" value="signin" alloweRoles="*"/>

The allowed attribtue is also applicable on the level of the jspx page.This is achived through the attribute AllowedRoles in the page tag in the jspx html page.

<page master="/pages/master/site.html" controller="" alloweRoles="*">

The Page allowed roles attribute will be available in the upcoming build 1.0.9.