Return-Path:
The Grant is somewhat similar to the standard Java Security policy
files, except that it is assigned per container instead of for the
code loading location. This allow for sharing central repositories
of code, without necessary giving all the same level of security
within a system.
A resource directive is a logical reference to a jar file within the enclosing repository. A repository implementation is responsible for the mapping of logical directives to physical jar URL.
The following example block.xml demonstrates the inclusion of three blocks within another enclosing block. In this example, the common shared API (containing service interfaces classes is declared in the containing block classloader).
+
@@ -95,6 +101,16 @@
grant 0..1
+
+ Granting permissions to code level security.
+
+
Element Occurance Description
permission 0..n
The permission descriptor.
Element Occurance Description
action 0..n
The action descriptor.
Attribute Required Description
class yes
The name of the Permission class. This classname must be a subclass of
the java.security.Permission class.
name no
This is the first argument passed into the constructor. Most Permission
classes calls this the "name" argument, but the has other names
for certain permission classes, e.g. FilePermission calls it "path".
Name | Default | Description | |
---|---|---|---|
Name | Default | Description | Since |
urn:composition:deployment.timeout | 5000 | @@ -99,6 +99,23 @@ deployed. If the interrupt() fails, the whole JVM must be considered unstable, and should terminate. ++ 3.2.5 + | +|
urn:composition:security.enabled | +false | ++ This is a global switch for turning the code level security + on or off. For compatibility reasons, the default is false, + but any production system should have this true. In the + kernel.xml it is set to true, and for the debug.xml it is + set to false. + | ++ 3.3 + |
Starting from Merlin 3.3, it is possible to grant permissions to classes within a container. This is done by the declaration of a <grant> element in the classloader definition section in the block descriptor (e.g. block.xml).
In the example below you should be able to see the mechanism. The multiple <action> elements, instead of a single String value as is more common, was chosen for easier tool support while still allowing you to place multiple comma separated actions into a single <action> element, passed to the Permission constructor as-is.
There can only be a single <grant> for each <classloader> and any number of <permission> elements within.
If you are only looking for basic security, similar to any typical stand-alone application, that would depend on a Java Security Policy file, you don't need to do anything special. All classes in Java will perform the security checks behind the scenes, protecting files, network connection and many other system resources. Please refer to your Java Security documentation for full details.
If you want to guard some resource or a section of code, you will need to;
This first example uses a simple named RuntimePermission.
In this example, we utilizes the existing java.lang.RuntimePermission to do a very simple check, i.e is the current protection domain allowed to use the SuperGlue.
And to make this work in your Merlin application, you would need to insert the appropriate permission in the <grant> element.
If you need something more complicated that can not be fulfilled with the existing Permission classes, you will need to create your own. This can be rather tricky, depending on what you are actually trying to do.
In the example below, we have a Permission class that ensures that an amount is within its boundaries, for instance for a banking application. The semantics are;
As we can see it is a fairly straight forward algorithm, but a bit hard to put in words, and I hope I haven't missed something. To do this with Java Security permissions is fairly easy.
Please note that the code has not yet been tested. If you do please post any mistake to dev@avalon.apache.org. Thank you.
Then in the actual code, we would do something like this;
Wasn't that easy? Well, it would have been if we could tie the principal customer/client/user to the protection domain that is checked. This is currently on the drawing board for Avalon Merlin, and will probably not be ready until version 4.0, somewhere mid or late 2004. While awaiting this Subject-based, generic, pluggable security system, you can hack the above example a little bit, for some basic subject driven security.
In the implies() method, you reach out and detect who is executing the current thread, for instance through a ThreadLocal variable, ask some authoritive object instance for the amounts allowed and perform the check. This is NOT the recommended method for larger and more complex system (such as banks), but can work as a temporary solution for the time being.