geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Why excluded permissions?
Date Mon, 21 Apr 2008 22:49:58 GMT
I've been wondering about why javaee and jacc talk so much about  
excluded permissions.  My first thought was that excluded or denied  
permissions are something people like to think about, so expanded the  
idea to a hierarchical rbac system in my triplesec prototype.   
However this makes it more or less impossible to figure out what is  
granted to someone -- AFAICT you have to go through the entire role  
hierarchy to correctly evaluate if someone has a permission since it  
could be denied by one more general permission or granted by another  
incomparable more general permission.  I think this requirement to  
evaluate permissions at multiple levels would be too slow to be  
practicable.

So, my next thought was that since we know what the permissions are  
for javaee (web permissions and ejb permissions) why not simply do  
the calculations of what permissions are left when we deny the  
excluded permissions right in the deployer, and only grant the  
resulting permissions.

For web permissions this is especially easy to do since AFAICT except  
for removing permissions that are granted and identical to excluded  
permissions, the algorithm for computing the granted permissions from  
the deployment descriptor already prevents any excluded permission  
from being granted.  I did notice one bizarre feature of the  
algorithm, which is that adding an excluded permission can grant  
permissions that otherwise would not be granted.  Basically if /Foo/*  
is granted to role Admin, then Foo/Bar/Baz is only available to  
Admin.  However if you add an exclusion for /Foo/Bar/* with http  
method PUT say then that grants an unchecked permission to /Foo/Bar/*  
for all http methods other than PUT.  Greg Wilkins is discussing with  
the servlet EG wether this is really what is intended: it is also  
pretty clearly a feature of the algorithm described in the servlet spec.

For ejb permissions this is marginally more complicated.  What I've  
done is for any granted permission that intersects with any excluded  
permissions, to replace the granted permission with the individual  
permissions that are equivalent to it, removing any implied by any  
excluded permission.

AFAICT these changes don't cause any problems.  I've opened  
GERONIMO-3964 to track this and committed my changes in rev 650304.

Comments would be extremely welcome.

thanks
david jencks


Mime
View raw message