I have been using my own internal custom authorization model which evaluates whether a user has permission to view, edit, delete, or create an item. For instance, one place I use this is to determine if a user has permission to view a resource. I have some restrictions such as whether 开发者_高级运维the item is published, whether the user belongs to the necessary group / role, etc.
I store all of that information in a database where I audit the permissions and who changed them for a given entity. To evaluate whether a user has permission, I have a Hibernate Event Listener that takes the current user and other contextual information and evaluates that against the entity.
Is this a good security model, would JAAS / JAAC or DROOLS work better here?
Spring Security and Shiro are probably the most widely used security frameworks and I would probably use them for a project right now. However, it seems a shame to have a layer on top of an application server when and app server has fully tested and integrated security built in (JAAS). I am looking forward to seeing what PicketBox has to offer, Seam Security 3.0 is built on it, it seems to more naturally fit with what an app server already offers, just with some nice features such as open id support.
Instead of JAAS or a rule engine based solution, I'd consider Apache Shiro (formerly JSecurity) for pluggable and flexible Authentication and Authorization. Have a look at What is Shiro?.
But if you have a working solution, why not stick with it if it gets the job done.
I realize I'm a little late to the party, but Spring Security is a pretty robust option as well, specifically it's ACL module can do a lot of what you're looking for.
精彩评论