Data Access control in Java EE technologies

I am working on a project that requires that i implement a mechanism for controlling data access to the content that displayed on the pages.

First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.

I am intersted to know of the different approaches out there to implementing "data access" control. is there a framework out there for this kind of thing? I am currently using Struts.

I'm thinking to do this, i will need to somehow to categorize and store the kinds of 开发者_StackOverflow社区data i keep and which configure which users can view/amend it. I want to try and avoid produce something completely from scratch so I'm wondering how the experts do this and what frameworks technologies assist them in doing it.

I guess you need Spring Security Framework. With this framework, you assign different roles to different users. For example, we can define two roles: ROLE_USER, ROLE_ADMIN. Then we assign those roles to users. For example, a user A can have only one role, ROLE_USER and a user B can have both of the roles. Now if on a particular JSP, you want to show something to user B only, you can put the code into a pair of authorization tags:

<sec:authorize ifAllGranted="ROLE_USER, ROLE_ADMIN">
     <!-- html, jsp scriplets, jstl tags inside here will be visible to user B only --> 
</sec:authorize>

Similarly if you want to show something to both of them:

<sec:authorize ifAllGranted="ROLE_USER">
     <!-- anything inside here will be visible to both users --> 
</sec:authorize>

Hope it helps.

You are looking for a authorization solution? Have you already checked JAAS, OSUser and similars? The authentication requirements can vary greatly, i think you need to be more specific, try adding a use case.

I think he was pretty specific with his question, though I also do not yet know the answer for it.

In any well build Enterprise application, you have two levels of security: (a) Functionlity ACL. Can user search for other in facebook? (etc..

(b) Which data are you granted access to read and update. e.g. Which users profiles can you open and read in facebook? For some users, e.g. those in your firends list, you can see their profiles. For others you can't.

Thus, the fact that you can open a JSP that lists entities, does not mean that you will be able to sell the full set of entities in the system.

(a) Is easily solvable with Java EE users and roles security concepts.

(b) How do you associate your database data to specific JNDI users and roles?

do you alwas have to reinvent the wheel when it comes to data access ACL?