5 Replies Latest reply on Aug 10, 2005 11:55 AM by Scott Stark

    JBoss JAAS grant Principal equivalent

    Adam Pelletier Newbie

      I have a standalone application that will become a web app. Security is pretty central and I use JAAS in the standalone version. I've got the login module configured under JBoss so I can login the same way I do in the standalone. However, I can't seem to get my Principals configured correctly. Currently that is done in a standard JAAS policy file with the entry:

      grant Principal com.my.company.vdx.jaas.MyPrincipal "read-only" {
       permission com.my.company.vdx.jaas.MyPermission "read";
      };
      


      The entry allows me to do a Subject.doAsPrivileged(blah); call which will enforce this principal for a given user. I attempted to add this to $JBOSS_HOME/server/default/conf/server.policy to no avail. Can anyone tell my how I can associate Principals to Subjects in jBoss.

      Thanks in advance,
      Adam



        • 1. Re: JBoss JAAS grant Principal equivalent
          Scott Stark Master

          The server.policy is just a place holder. You need to setup the security manager and security policy like any other java application. We don't configure a security manager by default. An ant macrodef from our testsuite for running with a security manager:

           <macrodef name="start-securitymgr"
           description="Starts a jboss configuration with a security manager">
           <attribute name="policy" default="${build.resources}/securitymgr/server.policy"/>
           <attribute name="conf" default="default"/>
           <attribute name="host" default="${node0}"/>
           <attribute name="jvmargs" default="-Xmx64m"
           description="An additional jvmarg line set after any ${jpda.cmdline}"/>
           <attribute name="jboss.home.dir" default="${jboss.dist}" />
           <attribute name="jboss.server.home.dir" default="${jboss.dist}${/}server${/}@{conf}" />
           <attribute name="security.debug" default="failure" />
           <sequential>
           <echo message="Starting @{conf} with policy @{policy}" />
           <echo message="jboss.home.dir=@{jboss.home.dir}" />
           <echo message="jboss.server.home.dir=@{jboss.server.home.dir}" />
           <java classname="org.jboss.Main" fork="true" spawn="true"
           dir="${jboss.dist}/bin">
           <classpath refid="jboss.boot.classpath"/>
           <jvmarg line="${jpda.cmdline}" />
           <jvmarg line="@{jvmargs}" />
           <jvmarg value="-Djboss.home.dir=@{jboss.home.dir}" />
           <jvmarg value="-Djboss.server.home.dir=@{jboss.server.home.dir}" />
           <jvmarg value="-Djava.security.manager"/>
           <jvmarg value="-Djava.security.policy==@{policy}"/>
           <jvmarg value="-Djava.security.debug=@{security.debug}"/>
           <arg value="-c"/>
           <arg value="@{conf}"/>
           <arg value="-b"/>
           <arg value="@{host}"/>
           </java>
           <echo message="Spawned jboss" />
           </sequential>
           </macrodef>
          



          • 2. Re: JBoss JAAS grant Principal equivalent
            erikengerd2 Newbie

            Hi,


            As I understand it, this means that in order to use specific security configurations based on permissions, the startup script of jboss must be modified to include a security configuration.

            Nevertheless, this means that every application deployed on JBoss will run with the same security configuration. I can't imagine this is what we want. Ideally, the security configuration should be deployed with the application itself or not? The current approach means that whenever the security config changes for a single deployed application, then the entire server must be restarted for the changes to take effect.

            Anyway, what would be the best solution? Having grants in the policy file that include code base, using the auth.policy.provider for to implement (deployed) application-specific security, or using only the authentication features and not using JAAS for authorization at all?

            What are your thoughts?

            Cheers
            Erik



            • 3. Re: JBoss JAAS grant Principal equivalent
              erikengerd2 Newbie

              Just saw that javax.securitg.auth.Policy is deprecated and that now java.security.Policy must be used and the property name is policy.provider.

              • 4. Re: JBoss JAAS grant Principal equivalent
                Scott Stark Master

                All that is currently supported requires differentiation of application security policies by codebase. We will be looking at expanding the JACC security service: http://wiki.jboss.org/wiki/Wiki.jsp?page=JACC

                to support a more flexible configuration and permissions other than just the j2ee javax.security.jacc.* ones.