Kevin,

With the Autorization Provider you wrote, were you able to leverage resource permissions
already defined in Oracle? In other words, were you able to access access privileges
already defined in Oracle from the custom Authorization Provider. For example,
suppose user "jsmith" only had read permissions on table FOO and user "jsmith"
was trying to use a Session bean that updated FOO. Can we leverage this security
policy defined in Oracle?

thanks,
Dan

"Kevin Lewis" wrote:
>
>Jack,
>
>You'll need to build security providers for Oracle. WLS doesn't ship
>with anything
>like this, and the examples really don't provide any insight. Having
>recently
>done this, I can tell you that you'll need:
>
>1. Authentication: authentication provider, login module (probably),
>and principal
>validator (if you want to store more in the principals). This also requires
>an
>MBean be created (there are good examples for this).
>
>2. Authorization: authorization provider, and access decision. Also
>needs an
>MBean.
>
>3. Roles: role provider, role mapper, and (possibly) a security role
>implementation.
> Also needs an MBean.
>
>It took me about a week to get this going, and then another week with
>BEA support
>to overcome a few issues (one that caused infinite recursion that's gone
>away--probably
>because I got things configured correctly) and to find out what I had
>to do in
>terms of Threads--you have to synchronize everything.
>
>Make your providers deployable, and you can use the security defined
>in your deployment
>descriptors to validate roles. Just cache that stuff in some hash maps.
>
>Hope this helps. Good luck.
>
>--Kevin
>
>"Jack Ottofaro" wrote:
>>
>>Our system currently uses an Oracle RDBMS for security - users and roles
>>are defined
>>within the database. We are now adding web services and EJBs using WLS
>>8.1. I'd
>>like to leverage the existing security database by either having WLS
>>use it directly
>>or somehow intialize the necessary WLS security structures from the

>Oracle
>>database.
>>The idea is to not change the way security is handled now (and thereby
>>not perturb
>>legacy apps) but also not add additional administrative tasks such as
>>defining
>>users and roles to WLS. I've read almost all the security related documentation
>>and theres so much there that one or both approaches seem feasible but
>>I'm not
>>sure. Is either or both approaches feasible and can someone layout the
>>high-level
>>steps needed?
>>
>>Thanks in advance,
>>
>>Jack
>>

>