JAAS authorization blues
pkghosh Oct 13, 2001 12:38 AMHi,
I tired to implement a JAAS based access control infrastructure as Stateless Session EJB under JBOSS.
After struggling for few days, I gave up. I came to the conclusion that it's almost impossible if
it has to run under a container and have to deal with all the security and class loading policies of the
container. As a standalone application it's doable.
Here is the code I used. I think my code is OK. But I could not get the java2 and JAAS policy files to work
after endless tweaking. The JBOSS container always threw some kind of Access Control Violation exception.
I am still using JAAS for authentication, but I have resorted to building my Access Control Infrastructure using
ejb and storing the access control information in a database. Another reason for doing it this way is so that
the access control data will be secured in a database, instead of text files.
public boolean isAllowed(final String user, final String media, final String access)
throws RemoteException
{
logger.debug("In isAllowed()");
Subject sub = new Subject();
sub.getPrincipals().add(new SimplePrincipal(user));
MedialAccessChecker medialAccessChecker = new MedialAccessChecker(media, access);
Subject.doAsPrivileged(sub, medialAccessChecker, null);
return medialAccessChecker.isAllowed();
}
class MedialAccessChecker implements PrivilegedAction
{
public MedialAccessChecker(String media, String access)
{
this.media = media;
this.access = access;
}
public Object run()
{
try
{
System.out.println("media " + media + "access " + access);
System.out.println("Subject " + Subject.getSubject(AccessController.getContext()));
FilePermission perm = new FilePermission(media, access);
AccessController.getContext().checkPermission(perm);
}
catch (AccessControlException acEx)
{
System.out.println("Got AccessControlException " + acEx);
allowed = false;
}
return null;
}
public boolean isAllowed()
{
return allowed;
}
private String media;
private String access;
private boolean allowed = true;
}
I would appreciate any help, advice.
Thanks,
Pranab