The Java EE application we are currently finalizing makes use of JBoss PicketLink and Apache DeltaSpike for its security framework. All authentication and authorization decisions are done using these libraries. Because of our high security requirements, most of our EJB service methods have authorization checks. In some instances, an unprivileged user would need to perform a privileged action. For example, only users in the Admin role are allowed to create user accounts. However, during user self-registration a user account would need to be created. Typically, we would use something like "Run As" for this sensitive operation so that for a single call the unprivileged user would have permission to perform a privileged action.
I have not, however, seen anything within the PicketLink documentation or examples that suggests that PicketLink supports this functionality. I know of other security frameworks that do. Java EE even supports this via the @RunAs annotation. We'd prefer not doing this with annotations, however, as we want very fine-grained control over where this can be applied.
Can anyone point me towards any documentation or examples that would explain how to do this? Is this functionality supported within PicketLink? Or are we out of luck? Do you have a different methodology we could use to address this type of situation and requirements?
There should be no need for Run As. If unauthenticated users are allowed to self-register, then you shouldn't blanket restrict user creation to admins. By definition, anything an unprivileged user can do is not a sensitive action. If admins have more flexibility in creating user accounts, then code two service methods: The one that admins use to create user accounts for others, and the more restricted one that unauthenticated users use to self-register.