DelegatingPolicy - a JAAS based Policy implementation

A JAAC Policy provider implementation that delegates any non-JACC permissions to the java.security.Policy either passed in to the ctor, or the pre existing Policy.getPolicy value. It derives its JACC permissions from the authenticated Subject roles and so is backward compatible with the legacy JAAS LoginModule based declarative security.

The org.jboss.security.jacc.DelegatingPolicy can be configured using an xmbean deployment like:

   <mbean code="org.jboss.security.jacc.DelegatingPolicy"
      name="jboss.security:service=JaccPolicyProvider"
      xmbean-dd="">
      <xmbean>
         <attribute access="read-only" getMethod="getPolicyProxy">
            <description>The java.security.Policy implementation</description>
            <name>PolicyProxy</name>
            <type>java.security.Policy</type>
         </attribute>
         <attribute access="read-write" getMethod="getExternalPermissionTypes"
                    setMethod="setExternalPermissionTypes">
            <description>The types of non-javax.security.jacc permissions that
               should be validated against this policy</description>
            <name>ExternalPermissionTypes</name>
            <type>[Ljava.lang.Class;</type>
         </attribute>
         <operation>
            <name>listContextPolicies</name>
            <return-type>java.lang.String</return-type>
         </operation>
      </xmbean>
      <!-- Not used, just here to test that custom permissions don't break the
      current behavior of javax.security.jacc.* permissions.
      -->
      <attribute name="ExternalPermissionTypes">org.jboss.security.srp.SRPPermission</attribute>
   </mbean>

• ExternalPermissionTypes (4.0.4+): a comma seperated list of non-JACC permissions that will be validated against the DelegatingPolicy.

You can use a jacc-service.xml as follows:

<mbean code="org.jboss.security.jacc.SecurityService"
      name="jboss.security:service=JaccSecurityService"
      xmbean-dd="">
      <xmbean>
         <descriptors>
            <injection id="MBeanServerType" setMethod="setMBeanServer" ></injection>
            <injection id="ObjectNameType" setMethod="setObjectName" ></injection>
         </descriptors>
         <attribute access="read-write" getMethod="getPolicyName" setMethod="setPolicyName">
            <description>The policy provider MBean name</description>
            <name>PolicyName</name>
            <type>javax.management.ObjectName</type>
         </attribute>
         <attribute access="read-write" getMethod="getPolicyAttributeName"
            setMethod="setPolicyAttributeName">
            <description>The Policy attribute name on the PolicyName MBean</description>
            <name>PolicyAttributeName</name>
            <type>java.lang.String</type>
         </attribute>
         <operation>
            <name>start</name>
         </operation>
         <operation>
            <name>stop</name>
         </operation>
      </xmbean>
      <attribute name="PolicyName">jboss.security:service=JaccPolicyProvider</attribute>
      <attribute name="PolicyAttributeName">PolicyProxy</attribute>
   </mbean>

What this does is basically installs the replacement java.security.Policy implementation that uses JACC. The PolicyFile is the default jdk implementation.

After this, do remember to add the following depends tag to the Tomcat MBean in the jbossweb-tomcat55.sar/META-INF,

     <mbean code="org.jboss.web.tomcat.tc5.Tomcat5"
      name="jboss.web:service=WebServer" xmbean-dd="META-INF/webserver-xmbean.xml">
        .....
      <depends>jboss.security:service=JaccSecurityService</depends>

This depends tag is quite critical because it installs the Policy implementation and the order in which the JACCService and the

tomcat service start is important.