How to do component specific access control / authorization with JAAS?

Question

I like to develop "business" components independent from the application. So each component is a project of its own with pretty specific responsibilities, boundaries and dependencies.

Example: A bookmark component. This component is responsible for creating, storing, deleting and querying bookmarks.

But there is an important constraint: Each user can see his own bookmarks, but he must not see any other user's bookmarks.

• This is confusing me. On one side this is about access control and authorization which are crosscutting concerns, because many components needs them.
• On the other side this constraint is closely related to bookmarks. Hence it is specific to this component. Maybe its something like a business rule.

Anyway I am not sure which part of the application is responsible for this. I already have implemented authentication with JAAS. So it would be nice if I could use JAAS for access control and authorization, too, but I am not sure if this is an adequate solution.

The JAAS tutorials tell, that I can do authorization / access control based on who is running the code and I can create permissions for my application (or component in this case). On the other side it works partially with a policy file, but I don't want to grant access per user via a file. The information which bookmarks are accessible for a user is stored in my database.

1. Is JAAS able to solve this kind of access control / authorization and if yes: how?
2. Are there any patterns that might help me?

Answer 1

You should store the owner of each bookmark in the table. You should require every request to be authenticated. Then you should only return records which are owned by the authenticated user.

If you want to enable users to share with each other, it gets a lot harder.