1. Technical Field
This disclosure relates generally to web application security and in particular to a method and system for allowing control over a group membership within a security domain.
2. Background of the Related Art
The Java™ Platform, Enterprise Edition (Java EE) standard supports the notion of declaring security constraints for Web- based applications using XML (outside of the application code). In addition, JEE standards put the control of security into a container, which removes the control of security from the application developer. Currently, an application server supporting this standard offers the ability to allow a Web container or an Enterprise JavaBean (EJB) container to handle the authentication process on behalf of Java applications executing on or in association with the server. As defined in the Standard, once a user has been authenticated, a Java “Subject” is created so that user credential information can be persisted for the duration of the executing Java application.
Commercial application servers that are compliant with this Standard, such as IBM® WebSphere® Application Server (WAS), provide for the use of Lightweight Third Party Authentication (LPTA) tokens to maintain security context between requests. For example, a user launching a protected Web-based application is challenged for a user identifier (userID) and password. Once the userID and password have been verified, a Subject representing the user is created. In addition, typically a Standard-compliant application server of this type sends a security token back to the client browser. For example, the WebSphere Application Server will send back an LTPA token in the form of a cookie. This token maintains the security context information during the life of the security token and the use of the Web application so that the user does not need to re-authenticate.
A user typically is a member of a group and, as such, as certain privileges and permissions (that are associated with the group membership). One of the challenges of the
LPTA token-based approach, however, is that, once the Subject is created, any changes to the user's group membership information will not be known. For example, a userID's group membership may be modified following authentication; however, there is no mechanism available in the application server to enable the Subject to reflect such a change. This is particularly problematic when long-running transactions are executing.