thanks for the link, that's interesting.
I hassle the last days with user/roles and such topics and I think, the
real problem is, that the "isUserInRole"-thing is not really practical.
Because, the information, which I want the server to ask is: "has this
user the right to access that resource"... where resource is perhaps a
REST-Endpoint, a specific URL-pattern or if using a JSF-page, this could
be a simple HTML-button or Text-field.
I hear you, and that's indeed a very real requirement. I've seen it many times being asked for in real-life Java EE applications.
It does depend though on the situation though. Sometimes checking for a role is more convenient , and sometimes the actual permission is what you want.
The problem with EE Security was that not everyone truly saw the need for this, and some (well, one actually), was actively against permission checking.
We had to argue quite a bit to even get this one in:
The idea was initially to make this one public:
My guess is we'll now do that for EE Security.next.
The next option is to introduce JASPIC or something like that. But as
everyone know and you wrote it in your article from last mail, there is
very much to do in order to setup even simplest things for permission
handling.
If you mean JACC and if you use Payara you could take a look at this:
In my opinion, but please correct me, if I miss anything, it would be
cool, if there will be a method like "boolean hasPermission(Object
caller)" in addition to "isUserInRole".
That method was as mentioned planned, but it was unfortunately blocked by one particular vendor. It's certainly on the shortlist again.
Kind regards,
Arjan
And then this method or another
from an interface, has to be implemented like this it is done with the
IdentityStore and AuthenticatrionMechanism. The
Identity/AuthenticationMechanism is now very cool solved and a great
simplification against former specification. And for simple things the
same would be cool for "permissions".
Kind regards
Ulrich
Am 06.10.18 um 14:39 schrieb arjan tijms:
> Hi,
>
> Just declaring roles at startup can be programmatically done via
> ServletContext#declareRoles, but this is static (only at startup time)
> and doesn't allow you to associate permissions with this.
>
> It's *basically* possible to do it dynamically as well. I
> approximately implemented a prototype for this that was intended to be
> in EE Security 1.0, but since we spent all the little time that we had
> on finalising the functionality that's in EE Security now, I never
> started the discussion about this really.
>
> See
> https://arjan-tijms.omnifaces.org/2016/07/simplified-custom-authorization-rules.html
>
> I talks about this SO question that approximately asks for what you're
> also asking for:
> https://stackoverflow.com/questions/27341665/is-it-possible-to-determine-group-membership-of-a-user-on-demand-instead-of-when
>
> A related question is to add permissions like one can now declare
> roles. We talked about that before, and for a moment it seemed default
> JACC could do that, but it's not that clear cut.
>
> Kind regards,
> Arjan
>