JAAS implementation vs. ACL implementation
Hello friends.
I'm wondering if I can get some general advice on what I should be pursuing for a security implementation.
We have a web application (STRUTS/Hibernate/Tomcat) that will have an increasing need for more complicated rules governing who can access specific components of the application. We have survived the 'prototyping' phase with a simple numerical scheme for providing access, but as more departments come on board they bring with them specialized needs. Thus, I have come to be evaluating our options for implementing a more complicated security system.
Authentication has pretty much already been handled in our application; there isn't an overwhelming need to re-work that area. Our primary need is the ability to grant privileges to users on a user by user basis and then evaluate for those privileges within the application to detemine what links a user should receive, and if they are allowed to access a particular url.
My preliminary evaluation makes me believe that jaas might not be what I'm looking for; authentication is handled already by LDAP lookup and I really don't need to lock down process/jar level access via java.policy level modifications (I don't think so, anyways). It would seem that our primary needs can be met by developing a series of objects implementing the ACL and related interfaces and assigning roles as appropriate to our user objects, and then writing appropriate code in the jsp / security filter servlet to identify the user, evaluate for the appropriate privilege, and forward as necessary.
I worry that I'm missing something here, either that jaas can provide me with these abilities and provide flexibility for the future or that there are other good reasons not to implement a custom ACL based solution.
Any and all advice is greatly appreciated.
- cm