5 Replies Latest reply on Sep 21, 2004 12:25 PM by dozedoff

    JACC

    dozedoff Newbie

      Are there any examples out there to help me understand how to incorporate the JACC security model for an app.

      Basically, I've got a java Client application making remote calls to my EJB's residing on my JBoss 4 RC server. Now what?

      thanks for any help.

        • 1. Re: JACC
          Scott Stark Master

          JACC is not an application level security model. Its a mechanism to externalize the mechanism for obtaining the security policy used to validate the JACC defined permissions. Applications continue to define security via the existing web.xml and ejb-jar.xml descriptors. Security providers can provide a JACC policy provider implementation to integrate the layer which validates whether a given call context should be granted the permission neccessary to access the target j2ee component.

          What is your interest in JACC in this context?

          • 2. Re: JACC
            dozedoff Newbie

            I'm fairly new with J2EE security, so I'm sure that I have some (maybe many) misconceptions.

            I was under the impression that JACC provides the piece of authorization that JAAS misses, namely a dynamic form of enforcing policies. And like JAAS, you would implement a pluggable module, but unlike JAAS, the module is for authorization instead of authentication. This would essentially be another level of authorization that can essentially replace the application level of authorization defined by JAAS.

            I was hoping to provide a JACC implementation that would essentially handle my authorization needs to decide who can access what, etc.

            Say for example, I define a policy that says my ejb or some of its methods are off limits after 5:00 pm. So, I'd like my client app to be able to know how to handle it.

            However, my lack of expertise (reading through the specs has not sunk in much) in the subject field in conjunction with the lack of example implementations (or just plain examples for that matter) has left me a bit confused on the whole matter.

            If you or someone else can provide answers to the following questions, it would probably clear things up for me.

            Can an application developer use JACC or a JACC policy provider implementation (namely, are there api's that I can program to?)?

            Can you define who the security provider should be that provides the JACC policy provider implementation (for example, joe developer, or a security specialist company, or JBoss, etc)?

            Are there any JACC policy provider implementations out there? I've scoured newgroups, and googled many times over, and cant find anything.

            Thanks for any answers you can provide. I realize this is the JAAS JBoss forum, but would not be surprised that there are other developers who've used JAAS, and are wondering not just what, but how JACC will bring something new to the table.



            • 3. Re: JACC
              dozedoff Newbie

              Scott,

              just to clarify. We're not just developing the applications, but are delivering a full solution to our customers. Basically, providing JBoss as a server to our apps, deployment and support to get them up and running. This of course includes security and user management. Thus my interest in JACC.

              Hopefully, you can set me on the right path, as I'm not sure where to go from here.

              • 4. Re: JACC
                Scott Stark Master

                 

                I was under the impression that JACC provides the piece of authorization that JAAS misses, namely a dynamic form of enforcing policies. And like JAAS, you would implement a pluggable module, but unlike JAAS, the module is for authorization instead of authentication. This would essentially be another level of authorization that can essentially replace the application level of authorization defined by JAAS.

                I was hoping to provide a JACC implementation that would essentially handle my authorization needs to decide who can access what, etc.

                That is correct. However, the permissions submitted to the policy for enforcement are the permission checks the container needs for the component dispatch. Its not a general mechanism for introducing arbitrary security policy statements.

                Say for example, I define a policy that says my ejb or some of its methods are off limits after 5:00 pm. So, I'd like my client app to be able to know how to handle it.

                This could be enforced by a JACC policy provider, but I don't know how your client app would handle it. They are simply going to get a security access exception. The JACC contract does not allow for a custom exception here.

                Can an application developer use JACC or a JACC policy provider implementation (namely, are there api's that I can program to?)?

                No. The JACC contract is between the security provider and the application server. You can gain access to the JACC apis and make custom permission checks if your policy provider supports that. I think more generally there needs to be some support for application level integration similar to the custom security proxy stuff we have, but I have not thought much about what makes sense yet.

                See the following preliminary wiki page describing the current JACC implementation and configuration:
                http://www.jboss.org/wiki/Wiki.jsp?page=JACC

                If you pursue writing a custom JACC implementation and have issues bring them up on the Security on JBoss development forum. Likewise, if you think there should be application deployment level hooks into the jboss JACC service to simplify custom authorization logic bring that up there as well.


                • 5. Re: JACC
                  dozedoff Newbie

                  great answers. thanks so much.