• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • Liutauras Vilda
  • Jeanne Boyarsky
  • paul wheaton
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Henry Wong
Saloon Keepers:
  • Tim Holloway
  • Stephan van Hulst
  • Carey Brown
  • Tim Moores
  • Mikalai Zaikin
Bartenders:
  • Frits Walraven

Need help-Authorization

 
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I want to create a method to authorize a role for accessing forms in a desktop application.Method name is authorize(String actions).i need to check the permissions for the actions that i'm getting from other class. i have to compare the role and actions against that in the policy file. i need to make sure that the role has the necessary permissions to access those forms.

Also i'm stuck up in the folowing code.

permissionColection.implies(new PropertyPermission("name","action"));
What does name and action denotes ? Can i assign jar name or class name to "action" ??


Attaching the code:

import java.io.File;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.CodeSource;
import java.security.PermissionCollection;
import java.security.Policy;
import java.util.PropertyPermission;

public class ClientSecurityManager extends Policy
{

static String userRole;
public ClientSecurityManager()
{

}

/*
* Authenticate the user and stores the role in memory.
*/
public boolean authenticate(String userName,String password)
{
//Calls method of Jazn for doing authentication.
//return the boolean value as the result of authentication and role.
//userRole = role;
return true;
}

public boolean authorize(String action)
{

String action1 = " ";
URL codebase = null;

try {

//Get permissions for a directory
codebase = new File("action1").toURL();


} catch(MalformedURLException e) {
}

// Construct a code source with the code base
CodeSource cs = new CodeSource(codebase,null);

PermissionCollection pcoll = Policy.getPolicy().getPermissions(cs);
boolean permissionStatus = pcoll.implies(new PropertyPermission("name","action") );

return true;
}

public void refresh() {

}

public PermissionCollection getPermissions(CodeSource cs) {

PermissionCollection permissionCollection = null;

permissionCollection.add(new PropertyPermission("name","action"));


return permissionCollection;
}

}

I hope i could get some idea from you javaranchers....
 
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
If you are using JAAS for authorization then you should use subject.doAs() instead of doing that in the code yourself by getting the policy et al.
However, answering your question:
The name is the name of the permission and the action is the set of actions you want to check the authorization for. As an example you must have a entry in the java policy file (present in <jre_root>/lib/security/java.policy) as follows:


// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
permission java.util.PropertyPermission "java.specification.version", "read";
};

Here java.specification.version is the name and "read" is the action.
Hope this helps.

You can follow this link
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnAndAzn.html
 
J Abraham
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Nitesh,

Thanks for the quick reply. In my case i'm doing the authentication using Oracle's Jazn(Jaas Provider). i'm not using JAAS for authentication. so how can i use Subject in my authorize method? also i am stuck how to retrieve the principle(role) from the policy file.I will get the jar file/class file which is used to access that form. I need to check whether this jar file/class file i'm getting has the necessary permission and they are accessing by the right principal(role).i will get the principal(role)stored in the static memory. Do you have any idea about checking that with the policy file?
[ February 28, 2007: Message edited by: Jibin Abraham ]
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As far as i understand, you do not get the subject as a whole but you get the principals(Sorry, i dont know much about Oracle's Jazn).
So, you can create a new read-only subject of your own having the required principals.

Now, you have two problems:

1) How to check whether the jar file has the required permissions. So, you need to find out as to what permissions you are looking for (name and action as specified in the java policy file) and follow the same as you wrote in the code sample that you posted.
2) How to check whether the principal has the permission to access the jar file. This can be done by using Subject.doAsPriviliged(<subject you created>, <a priviliged action trying to access the jar using an input stream>, null). Passing null as the access control context(last argument) will ensure that permissions are checked only for the subject that you are passing. For this in the policy file you should specify a java.io.FilePermission with the path of the jar and action as read for this principal.

Hope the above helps.
It is difficult to put the whole code here. Probably if you go through the sun tutorials you will get a hang of the above.
 
J Abraham
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the reply.

i tried with Subject.doAsPrivileged .....

i have a doubt regarding final checking of permission.

boolean permissionStatus = permissionCollection.implies(new PropertyPermission("name","action")

Here i'm confused about the type of permission... whether it is PropertyPermission or FilePermission or other type of permission. Also i'm confused about what to include in the argument of the permission constructor.???
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Here i'm confused about the type of permission... whether it is PropertyPermission or FilePermission or other type of permission.


The type of permission should match with the permission type specified in the policy file.

I think in your case you have to create your own permission and use the same in the policy file as well as the code.

Follow the following post for samples:

Authorization using JAAS
 
J Abraham
Ranch Hand
Posts: 101
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Nitesh,

In my case i'm getting role(principal) after authentication, form name(it may be a class) as i'm using a desktop application. i just want to check the permission by checking policy file. the arguments are role and the name of class. but i need boolean value as return. would the code that you have posted work in my case.
 
Nitesh Kant
Bartender
Posts: 1638
IntelliJ IDE MySQL Database Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The AccessController.checkPermission() will throw a java.security.AccessControlException if the permission is not present for the subject. You can catch the exception and then take any action that you want.
I think you should create a permission taking a form name and the action.
Use this permission while checking and also while specifying in the policy file.
In the policy file you can specify all the actions allowed for a subject and at runtime you can check for one of the actions.
 
Remember to always leap before you look. But always take the time to smell the tiny ads:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic