PicketBox Authorization

    << Go Back to PicketBox Overview

     

    PicketBox (Formerly JBoss Security) has support for authorization or access control


    Types of Authorization

    1. Coarse Grained
    2. Fine Grained including Instance Based Authorization


    Coarse Grained Authorization

     

    You can use the PicketBoxAuthorizationModule to provide access control to your java application.  Please see the example below.

     


    Fine Grained Authorization

    1. Standards based Oasis XACML v2 Authorization using JBossXACML
    2. Access Control Lists (ACLs) using PicketBox ACL

     

    Sample Code for Coarse Grained Authorization

     

    import java.security.Principal;
    import java.util.HashMap;
    import java.util.Map;
    
    import javax.security.auth.Subject;
    
    import org.jboss.security.AuthenticationManager;
    import org.jboss.security.AuthorizationManager;
    import org.jboss.security.authorization.AuthorizationContext;
    import org.jboss.security.authorization.Resource;
    import org.jboss.security.authorization.ResourceType; 
    import org.picketbox.config.PicketBoxConfiguration;
    import org.picketbox.factories.SecurityFactory;
    
       //Variables
       private final String securityDomainName = "test";
       private final String configFile = "config/authorization.conf";
       
       public void testValidAuthorization() throws Exception
       { 
          SecurityFactory.prepare();
          try
          {
             PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
             idtrustConfig.load(configFile);
    
             AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
             assertNotNull(am);
    
             Subject subject = new Subject();
             Principal principal = getPrincipal("anil");
             Object credential = new String("pass");
    
             boolean result = am.isValid(principal, credential, subject);
             assertTrue("Valid Auth", result);
             assertTrue("Subject has principals", subject.getPrincipals().size() > 0);
    
             AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
             assertNotNull(authzM);
             Resource resource = getResource();
             int decision = authzM.authorize(resource, subject);
             assertTrue(decision == AuthorizationContext.PERMIT);
          }
          finally
          {
             SecurityFactory.release();
          }
       }
       
       public void testInvalidAuthorization() throws Exception
       {
          SecurityFactory.prepare();
          try
          {
             PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
             idtrustConfig.load(configFile);
    
             AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
             assertNotNull(am);
    
             Subject subject = new Subject();
             Principal principal = getPrincipal("anil");
             Object credential = new String("pass");
    
             boolean result = am.isValid(principal, credential, subject);
             assertTrue("Valid Auth", result);
             assertTrue("Subject has principals", subject.getPrincipals().size() > 0);
    
             AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
             assertNotNull(authzM);
             Resource resource = getResource();
             int decision = authzM.authorize(resource, subject);
             assertTrue(decision == AuthorizationContext.PERMIT);
          }
          finally
          {
             SecurityFactory.release();
          }
       }
       
       private Principal getPrincipal(final String name)
       {
          return new Principal()
          {
             public String getName()
             {
                return name;
             }
          };
       }
       
       private Resource getResource()
       {
          return new Resource()
          {
           public ResourceType getLayer()
           {
              return ResourceType.IDTRUST;
           }
    
           public Map<String, Object> getMap()
           {
              return new HashMap<String,Object>();
           }
          };
       }
    

     

    As usual we have a SecurityFactory.prepare() and SecurityFactory.release() in a try/finally structure to initialize and release picketbox.

     

    The authorization.conf looks as follows:

    <?xml version='1.0'?> 
     
    <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
             xsi:schemaLocation="urn:jboss:security-config:5.0"
             xmlns="urn:jboss:security-config:5.0"
             xmlns:jbxb="urn:jboss:security-config:5.0">
       <application-policy name = "test"> 
           <authentication>
              <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
                 flag = "required"> 
                 <module-option name = "name">1.1</module-option>
                 <module-option name = "succeed">true</module-option>
                 <module-option name = "throwEx">false</module-option> 
              </login-module> 
           </authentication> 
           <authorization>
              <policy-module 
                code="org.picketbox.plugins.authorization.PicketBoxAuthorizationModule">
                <module-option name="roles">validuser</module-option>
              </policy-module>
           </authorization>
        </application-policy>  
    </policy>
    

     

    In this case, PicketBoxAuthorizationModule is configured with a comma separated list of roles (validuser).


    PicketBox Authorization Using Java Annotations

     

    Suppose you do not want to work with xml config files and want to provide the configuration via Java Annotations, then you can use the @Authorization annotation.

     

    A POJO may look:

    import org.jboss.security.annotation.Authentication;
    import org.jboss.security.annotation.Authorization;
    import org.jboss.security.annotation.Module;
    import org.jboss.security.annotation.ModuleOption;
    
    import org.jboss.security.auth.spi.UsersRolesLoginModule;
    import org.picketbox.plugins.authorization.PicketBoxAuthorizationModule;
    
    /**
     * POJO with both Authentication and Authorization annotations 
     */
    @Authentication(modules={@Module(code = UsersRolesLoginModule.class, options =
    {@ModuleOption})})
    @Authorization(modules ={@Module(code = PicketBoxAuthorizationModule.class, options =
    {@ModuleOption(key="roles",value="validuser")})})
    public class AuthAuthorizationAnnotatedPOJO
    { 
    }
    

     

     

    Now the test code will be:

    @Test
       public void testAuthenticationAndAuthorization() throws Exception
       {
          AuthAuthorizationAnnotatedPOJO pojo = new AuthAuthorizationAnnotatedPOJO();
          
          PicketBoxProcessor processor = new PicketBoxProcessor(); 
          processor.setSecurityInfo("anil", "pass");
          processor.process(pojo);
          
          Principal anil = new SimplePrincipal("anil");
          assertEquals("Principal == anil", anil, processor.getCallerPrincipal());
          Subject callerSubject = processor.getCallerSubject();
          assertNotNull("Subject is not null", callerSubject);
          assertTrue("Subject contains principal anil", callerSubject.getPrincipals().contains(anil));
          RoleGroup callerRoles = processor.getCallerRoles();
       }
    

     

    Because of the @Authorization annotation, the PicketBoxProcessor process method will do the authorization.


    @Authorization Annotation

    Details are provided at PicketBoxSecurityAnnotations

     

     

    << Go Back to PicketBox Overview