RBAC is well understood, so this is beyond RBAC.
Looking for an efficient/tested approach to deal with attribute, or domain, based security such that a principal may have N attributes (with N values) that will limit what they can or can not see. I understand acegi can handle this, but by replacing JAAS, and I would like to evaluate if there is a way to work with JAAS to deal with this security model.
Examples:
joe likes apples, oranges, pears.
john likes oranges and tomatoes.
jane likes apples but is allergic to tomatoes (explicitly denied from tomatoes).
You serve 100’s of vegetables and fruits, and you specialize in special varieties of each fruit and vegetable.
If someone has permission to see apples, they can see all the specialized apples like ‘granny smiths’ for example, but not allowed to see other specialized types if they do not have that ‘likes’ attribute/permission.
Technical, each principal has various attributes associated with them, that will limit what they are allowed to see from various data calls/updates and looking for a clean way to support having those attributes with the principal be used in a JavaEE setting (ejb/servlet).
thanks in advance!
JAAS does not specify how (or even if) a Java EE container should implement this. Therefore various contains have (or don’t have) their own support for this.
Because of this, if you want it to work along with JAAS, then the solution will be container-specific, or will be an add-on library such as acegi.