3 Replies Latest reply on Oct 15, 2001 5:09 PM by Pranab Ghosh

    JAAS authorization blues

    Pranab Ghosh Newbie

      Hi,

      I tired to implement a JAAS based access control infrastructure as Stateless Session EJB under JBOSS.
      After struggling for few days, I gave up. I came to the conclusion that it's almost impossible if
      it has to run under a container and have to deal with all the security and class loading policies of the
      container. As a standalone application it's doable.

      Here is the code I used. I think my code is OK. But I could not get the java2 and JAAS policy files to work
      after endless tweaking. The JBOSS container always threw some kind of Access Control Violation exception.

      I am still using JAAS for authentication, but I have resorted to building my Access Control Infrastructure using
      ejb and storing the access control information in a database. Another reason for doing it this way is so that
      the access control data will be secured in a database, instead of text files.


      public boolean isAllowed(final String user, final String media, final String access)
      throws RemoteException
      {
      logger.debug("In isAllowed()");

      Subject sub = new Subject();
      sub.getPrincipals().add(new SimplePrincipal(user));

      MedialAccessChecker medialAccessChecker = new MedialAccessChecker(media, access);
      Subject.doAsPrivileged(sub, medialAccessChecker, null);
      return medialAccessChecker.isAllowed();
      }


      class MedialAccessChecker implements PrivilegedAction
      {
      public MedialAccessChecker(String media, String access)
      {
      this.media = media;
      this.access = access;
      }

      public Object run()
      {
      try
      {

      System.out.println("media " + media + "access " + access);
      System.out.println("Subject " + Subject.getSubject(AccessController.getContext()));
      FilePermission perm = new FilePermission(media, access);
      AccessController.getContext().checkPermission(perm);
      }
      catch (AccessControlException acEx)
      {
      System.out.println("Got AccessControlException " + acEx);
      allowed = false;
      }
      return null;
      }

      public boolean isAllowed()
      {
      return allowed;
      }

      private String media;
      private String access;
      private boolean allowed = true;
      }


      I would appreciate any help, advice.

      Thanks,
      Pranab

        • 1. Re: JAAS authorization blues
          J. Wolfgang Kaltz Novice

          My understanding is, you must use the JBossSX mechanisms to use EJB security (unless you implement your own security manager).

          Have you read the JBossSX chapter in the documentation ? See also the JavaWorld article "Integrate security infrastructures with JBossSX". This will give you an idea of how one is expected to implement security in JBoss and where you can add your custom stuff.

          • 2. Nothing prevents you from doing it
            Konstantin Newbie

            You can use EJB's from custom login modules
            without any problems. Or maybe with only one problem:
            EJB's you use from login modules shall have no
            security set.

            So, assuming that you have some data model you are using for authenticaion/authorisation you will have
            to made 2 set of beans:

            1. Beans for auth only, without any security settings
            ( everybody allowed access ), and those beans shall
            have no means of changing the data or leak security relewant information

            2. Beans for auth information management -
            they go to the same data, but have methods designed for changing auth information


            I used such approach ( even more brain dead one )
            and it worked...

            • 3. Re: Nothing prevents you from doing it
              Pranab Ghosh Newbie


              I am not talking about access control for ejb methods, but more generic access control e.g., access to file.
              It's very difficult to configure security policies for these kinds of access control for beans running under the JBOSS container.

              You esentially have to find all the access violations one at a time and and add them to the java2 policy accordingly. There is no quick way to configure the policy. Sometimes even after I added the necessary permissions in the policy, JBOSS still threw exceptions.

              Typcially, may containers including JBOSS, are configured with permission ava.security.AllPermission by default. To use JASS authorization, it becomes necessary to replace that with explicit permission settings, because of the additive nature of the policy settings.

              It would have been much easier if java2 allowed subtractive permission setting also. For examle, if I wanted only certain code base running under a certain principal to have read access to a file, I could set up the java2 policy file for JBOSS as follows, if subtractive policy was allowed.

              grant
              {
              // Allow everything for now
              permission java.security.AllPermission;
              not permission java.io.FilePermission "C:\\temp\\foo.txt", "read";
              };

              The JAAS policy would be

              grant
              codebase "file:/C:/MyApp/MyCode/-"
              Principal org.jboss.security.SimplePrincipal "lucky"
              {
              permission java.io.FilePermission "C:\\temp\\foo.txt", "read";
              };

              When running under JBOSS, beacuase the java2 policies are additive, I have to find the access viloations one at a time and add them to the java2 policy.


              Pranab