Jaffa Runtime Architecture - Data Security and Persistence

Home Contact Us FAQs Site Map

Source Forge:

Jaffa Site
news introduction documentation javadocs downloads contributors acknowledgements mail lists legal

Jaffa Runtime
TagLib Guide Presentation Middleware Business Logic Persistence Security Configuration

Jaffa RAD
Getting Started Standards Build Tools Generation Engine Domain Generation Component Generation Application Generation Load Testing

Sub-Projects
SampleApp Together TextPad

Propagating Security to the Data Tier

The explains how the Jaffa JDBC Persistence Engine has a generic plug-in point for setting up the security rules in the Data Tier while allowing Database connections to be pooled. It covers how the default plug-in works, and how you can write and insert your own.

Contents

Contents
Purpose
Setting up the Security Plugin
Writing Your Own Plug-In

Setting up the Security Plugin

Under Jaffa, the JDBCSecurityPlugin (under source\java\org\jaffa\security ) class implements the IJDBCSecurityPlugin interface.

org.jaffa.persistence.engines.jdbcengine.security.IJDBCSecurityPlugin
public interface IJdbcSecurityPlugin { public void newConnection(Connection connection) throws SQLException; public void freeConnection(Connection connection) throws SQLException; }

This interface allows functions to be implemented on the database connection just as a connection is being assigned from the connection pool to a UOW object. A second method is also called prior to placing the connection back in the pool, once the UOW has finished with it.

We there for want to implement a class that when a connection is acquired, we set the context of that connection based on the security context associated to the user executing the function.

The newConnection(...) method gets the Security context and then gets the principal to retrieve the user logged in the application.

Then it gets the list of roles assigned to the User and passes these information to the stored procedure to switch the context. The procedure called is 'set_userid(...)' in the jaffa_sec package.

To tell the JDBC Persistence Engine to use the security Plug in you must open source\java\org\jaffa\config\framework.properties.

The property framework.persistence.jdbcengine.security.plugin is set to the class which implements the IJDBCSecurityPlugin.

To use the plugin supplied by Jaffa, set this property to org.jaffa.security.JDBCSecurityPlugin

framework.properties

# The class that implements the IJdbcSecurityPlugin interface.
# It is invoked after acquiring and before freeing up a Connection object
# Do no specify any value, if this functionality is not desired.
framework.persistence.jdbcengine.security.plugin=org.jaffa.security.JDBCSecurityPlugin

Writing Your Own Plug-In

To implement your own plug in, implement the IJDBCSecurityPlugin interface and set the property in the application's framework.properties file to the class you have implemented to use it instead of the Jaffa provided class.

Code snippet for method executeStoredProcedure()

private void executeStoredProcedure(Connection connection, String userid) throws java.sql.SQLException {
   CallableStatement cs;
   try {
       if(log.isDebugEnabled())
           log.debug("Calling the Stored Procedure");
      // Call a procedure with no parameters
       cs = connection.prepareCall("{call jaffa_sec.set_userid(?,?)}");
       cs.setString(1,userid);
       ArrayDescriptor desc = ArrayDescriptor.createDescriptor("ROLE", connection);
       ARRAY newArray = new ARRAY(desc, connection, getUserRoles(userid).toArray());
       cs.setArray(2,newArray);
       // Execute the stored procedure
       cs.execute();
   } catch (SQLException e) {
       String str = "Error in executing the the Stored Procedure";
       log.error(str, e);
       throw new UOWSecurityException(str, e);
   } finally {
            if (cs != null)
                cs.close();
        }
}
private List getUserRoles(String userid) {
   List l = (List) cache.get(userid);
   if(l!=null)
       return l;
   // Figure out access and cache it.
   ArrayList al = null;
   Set rl = PolicyManager.getRoleSet();
   if(rl != null) {
       // Get thread context
       SecurityContext ctx = SecurityManager.getCurrentContext();
       if(ctx!=null) {
           // Check access to each role
           if(log.isDebugEnabled())
               log.debug("Checking the Access to Each Role");
           for(Iterator it = rl.iterator(); it.hasNext();) {
               String role = (String)it.next();
               // If user has added add to the array
               if(ctx.inRole(role)) {
                   if(al == null)
                       al = new ArrayList();
                   al.add(role);
               }
           }
       }
   }
   // Cache array and return value.
   cache.put(userid, al);
   return al;
}