geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Diego L Espiñeira <espi...@yahoo.com.ar>
Subject Re: Custom EJB Security
Date Tue, 05 Dec 2006 01:07:22 GMT
Do I have to put it in JIRA?



On Mon, 2006-12-04 at 14:14 -0800, David Jencks wrote:
> We should move this to the dev list :-)
> 
> Sorry for the delay, I wrote up some info on JACC at http:// 
> cwiki.apache.org/confluence/display/GMOxDEV/JACC+Guide
> 
> I'll try to work on it some more and see if I can figure out how to  
> link it from the dev wiki page.
> 
> I don't know of much other info about JACC except the spec which is  
> IMO a bit confusing about who does what.
> 
> 
> 
> On Dec 2, 2006, at 9:40 PM, Diego L Espiñeira wrote:
> 
> > I guess I have to implement/extend the following interfaces/classes
> > - org.apache.geronimo.j2ee.deployment.SecurityBuilder
> > - javax.security.jacc.PolicyConfiguration
> > - javax.security.jacc.PolicyConfigurationFactory
> > - java.security.Principal
> >
> > Is that right? Just what you did with all that TripleSec stuff, right?
> > Well, now I need to know how this classes are suppose to fit together.
> > I need any explanation i.e. "class A calls B when C happens", etc.
> 
> I think you might want to try extending the geronimo default  
> provider, I think you will have less to do.
> >
> > When the authorization info gets updated?
> > How do I make the "SecurityProxy" read additional configuration  
> > such as
> > where to get the permissions and roles from (DBMS, XML, webservice,
> > etc).
> 
> After thinking about this for just a few minutes, I think I'd go  
> about this like so:
> 
> 1. use java 5 :-)
> 
> 2. Modify PolicyConfigurationGeneric to include a map <Class,  
> PermissionsHandler>, and if the regular check passes, confinue by  
> looking for a handler for the class of the permission, and asking the  
> handler as well.  So we'd have something like
> 
> interface PermissionsHandler {
>   boolean  implies(Permission permission, Principal[] principals);
> }
> 
> The permissionsHandler can look for the ejb object, method args, etc  
> from PolicyContext itself.  (PermissionsHandler is probably a really  
> bad name)
> 
> 3. Write a GBean to configure and install a PermissionsHandler into a  
> PolicyConfigurationGeneric for a  specific policyContextID.  This  
> GBean can configure the PermissionsHandler any way it wants.
> 
> 4. Modify the GeronimoSecurityBuilderImpl to install instances of  
> your gbeans based on xml in a modified geronimo-security-1.2.xsd
> 
> I think my proposed PermissionsHandler can do anything the jboss  
> SecurityProxy can do, although it is going to use the  
> EJBMethodPermission.getActions() string to index which method is  
> involved rather than the Method object itself.
> 
> I might have left out a lot of essential functionality, so this might  
> not actually work :-).  It might be a starting point though.
> 
> Please keep in touch with your progress, and keep asking questions!
> 
> thanks
> david jencks
> 
> >
> >
> > On Sun, 2006-12-03 at 00:32 -0300, Diego L Espiñeira wrote:
> >> Hi
> >> It would be such an honor to participate.
> >> The case is I don't have much information about the JACC API and
> >> specification neither about how is this implemented in geronimo.
> >> I just need that information to get the job done.
> >>
> >>
> >> Thanks for your reply
> >>
> >> On Sat, 2006-12-02 at 17:08 -0800, David Jencks wrote:
> >>> The SecurityProxy is a JBoss proprietary feature that Geronimo
> >>> doesn't support.  At the moment we don't have anything directly
> >>> comparable implemented.
> >>>
> >>> Starting with j2ee 1.4 the "official" way to implement security
> >>> dependent on the ejb method calls is to do it in a JACC  
> >>> provider.  In
> >>> a JACC provider you can use the ejb method call in the determination
> >>> of whether to grant an ejb permission to a caller.  I suspect we
> >>> could write a JACC provider that delegated to something like the
> >>> JBoss SecurityProxy.  When considering this before I was thinking
> >>> more in terms of a rule engine, but certainly just writing code is
> >>> simpler :-)
> >>>
> >>> Would you be interested in working on an implementation of this?   
> >>> I'm
> >>> interested but currently short of time, but I'd be happy to discuss
> >>> how to do it with you.
> >>>
> >>> thanks
> >>> david jencks
> >>>
> >>> On Dec 2, 2006, at 10:39 AM, Diego L Espiñeira wrote:
> >>>
> >>>> Hi!
> >>>> I'm in the process to migrate to Geronimo an application originally
> >>>> build for JBoss.
> >>>> This application uses custom EJB security through implementing the
> >>>> org.jboss.security.SecurityProxy interface. How could this be done
> >>>> with
> >>>> Geronimo. The reasons I've approached this issue that way and  
> >>>> not the
> >>>> facade bean using isUserInRole are the tight integration with the
> >>>> application server architecture and that of this way I can write  
> >>>> neat
> >>>> and more maintainable code.
> >>>>
> >>>> PD: sorry, my English sucks.
> >>>>
> >>>> Thanks in advance.
> >>>>
> >>>> __________________________________________________
> >>>> Correo Yahoo!
> >>>> Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
> >>>> ¡Abrà tu cuenta ya! - http://correo.yahoo.com.ar
> >>>
> >>
> >> __________________________________________________
> >> Correo Yahoo!
> >> Espacio para todos tus mensajes, antivirus y antispam gratis!
> >> Abr tu cuenta ya! - http://correo.yahoo.com.ar
> >
> > __________________________________________________
> > Correo Yahoo!
> > Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
> > ¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
> 

__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam gratis! 
Abr tu cuenta ya! - http://correo.yahoo.com.ar

Mime
View raw message