Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 53063 invoked from network); 15 Apr 2005 05:41:38 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 15 Apr 2005 05:41:38 -0000 Received: (qmail 30236 invoked by uid 500); 15 Apr 2005 05:41:23 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 30121 invoked by uid 500); 15 Apr 2005 05:41:22 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 30041 invoked by uid 99); 15 Apr 2005 05:41:22 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from ajax-1.apache.org (HELO ajax.apache.org) (192.87.106.226) by apache.org (qpsmtpd/0.28) with ESMTP; Thu, 14 Apr 2005 22:41:20 -0700 Received: from ajax.apache.org (ajax.apache.org [127.0.0.1]) by ajax.apache.org (Postfix) with ESMTP id 628B12DF for ; Fri, 15 Apr 2005 07:41:18 +0200 (CEST) Message-ID: <1230761072.1113543678402.JavaMail.jira@ajax.apache.org> Date: Fri, 15 Apr 2005 07:41:18 +0200 (CEST) From: "David Jencks (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Reopened: (GERONIMO-632) Create a JACC gbean per application to manage security In-Reply-To: <1680005215.1113543021152.JavaMail.jira@ajax.apache.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N [ http://issues.apache.org/jira/browse/GERONIMO-632?page=history ] David Jencks reopened GERONIMO-632: ----------------------------------- > Create a JACC gbean per application to manage security > ------------------------------------------------------ > > Key: GERONIMO-632 > URL: http://issues.apache.org/jira/browse/GERONIMO-632 > Project: Geronimo > Type: Bug > Versions: 1.0-M3 > Reporter: David Jencks > Assignee: David Jencks > Fix For: 1.0-M4 > > It's become apparent recently that there are some deficiencies in the current security system, currently manifested by difficulty in implementing some requirements: > * the PolicyConfigurations for the modules in an ear need to be linked > * After linking, each PolicyConfiguration needs to be committed and the policy refreshed > * Only after the refresh should requests be allowed to get to the new application. > In addition, the code to set up security is more or less duplicated in several places where it doesn't seem to fit very well. > After a lot of discussion and attempts to identify what was wrong Alan Cabrera, Jeff Genender and I have come up with a design we think will satisfy all the requirements and considerably simplify the code. Since I'm in the westernmost time zone I got elected to document it :-) So, I'll try to describe it here and expect to start implementing it shortly. Of course, comments and suggestions would be greatly appreciated. > The center of the idea is to have a new JACC gbean for each application or standalone module. This will be configured by various builders at deploy time with all the security info for the entire application: the permissions for each module indexed by contextID, and the permission to role mappings for the entire application. When this gbean starts it will create the PolicyConfiguration instances for each module, configure them with the appropriate permissions, add the application-wide permission-role mapping to each, link them all together, commit them, and refresh the policy. > Each module in the application or standalone module will have a reference to the appropriate JACC gbean, so it cannot start until after the JACC gbean has started: thus there is no possibility that any requests could get to the module before security is completely set up. > Each module will now need only to know its contextID so as to set the threadlocal in PolicyContext. > At least on the runtime side this will allow as a side effect complete pluggability of the security system. > One of the side effects of this design is that linking will have no effect, since the principal to role mapping will be set up for the application as a whole and supplied to each PolicyConfiguration for the app as a whole. If there are unanticipated problems with this approach we can revert to having principal-role mappings per module and linking them. I can't see how problems could arise since we would essentially be linking at deploy time rather than run time. > On the builder side of things, we will have to do two steps: > 1. collect a map of contextID to permissions from the spec-dd security info for each module. > 2. extract the principal-role mappings from either the application plan or the individual module plan. We are thinking that we should allow only one principal - role mapping configuration either at the top level of an application plan or in a standalone module plan. > These would be stuffed into a GBeanData after the modules are configured. Since all the module builders are run off the EARConfigBuilder it should be able to construct the gbeandata for both applications and standalone modules. > (copied from a dev-list message) -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira