4 Replies Latest reply on Jul 23, 2005 10:56 PM by starksm64

    How can AuthorizationInterceptor be improved ?

    fabcipriano
    fabcipriano Jul 22, 2005 6:53 PM

      I made a new AuthorizingClass for org.jboss.jmx.connector.invoker.AuthorizationInterceptor and I´m using MBeanPermission for the authorization.

      Just fine, but I´d like to use authorization like the AuthenticationInterceptor that get the SubjectSecurityManager and from him get the users tha can be in a file, database, etc because of LoginModules. So the security-domain would be like this :
      <application-policy name = "jmx-console">

      .... everybody knows ....



      ...implements Policy interface and get
      permission from database, file, etc...


      </application-policy>

      Is there a start point to implement this or is there a intention or motivation to implement this ?

      • 3769 Views
      • Tags:
        • 1. Re: How can AuthorizationInterceptor be improved ?
          fabcipriano
          fabcipriano Jul 22, 2005 7:34 PM (in response to fabcipriano)

          Sorry I was thinking in this configuration file:

          <application-policy name = "jmx-console">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
 <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
 </login-module>
 </authentication>

 <authorization>
 <customPolicy code="org.jboss.security.auth.spi.DatabasePolicy">
 <module-option name="dataSource">java:/DefaultDS</module-option>
 </customPolicy>
 </authorization>
 </application-policy>


            • Actions
          • 2. Re: How can AuthorizationInterceptor be improved ?
            starksm64
            starksm64 Jul 23, 2005 2:34 PM (in response to fabcipriano)

            There was an original thought to have a complete policy specified, but with the introduction of JACC and other authorization standards like XACML the configuration of authentication and authorization are two seperate services.

            The current security api and services need to be updated to support interop with the new security standards in a pluggable manner.

              • Actions
            • 3. Re: How can AuthorizationInterceptor be improved ?
              fabcipriano
              fabcipriano Jul 23, 2005 7:47 PM (in response to fabcipriano)

              If you could give a list of the necessary improvements to be done in the current security api and services I thank you a lot.

              I take a look in the Sun´s XACML site and I liked of the idea.

              The JACC JBoss implementation delegate the permission(except EJB and WAR permission) to java policy. It will be nice if we could change the policy behavior of the JACC in a flexible manner like said in the last lines of the wiki http://wiki.jboss.org/wiki/Wiki.jsp?page=JACC .

              Is there some work in this area ?

                • Actions
              • 4. Re: How can AuthorizationInterceptor be improved ?
                starksm64
                starksm64 Jul 23, 2005 10:56 PM (in response to fabcipriano)

                Someone already did a prototype of JACC built on XACML and talked about it in a bof at javaone this year. I'll be working with him to get it into the codebase as at least a testcase for an alternate JACC implementation. Here is the dev forum topic that will be used to get the development going:

                http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3886241#3886241

                As I stated there I don't expect to get too much done for a month or so as I'm swamped with 4.0.3 finalization issues.

                  • Actions