Originally posted by Ulf Dittmer:
The theory is that the user is in charge of his own machine (and is trusted to do the right thing), whereas the application by default is not. If the user feels that the application can be trusted, he can allow it to do more things than an untrusted application. Since that requires a conscious act of the user, that is considered OK.
I figured as such, but it does seem to create an interesting situation when it comes to authorization. I'll explain the approach I opted for at the end of this post, but I'll start with the 'problem.' (Some of this in another post, but I'm going to link to this one from that post.)...
Let's assume the user installs his company's
Java swing application on his machine. We'll assume this client application has a direct connection to the internet as well (ignoring off-line mode.)
The developers of the application know about JAAS and figure they should use that to help enforce what things the user could do within the client app.
Authentication works nicely by pulling the user's windows username and cert and doing an online check to get possibly a list of roles the user has.
The developer now wants to implement authorization checks on various parts of his client app. For example maybe only an "Amdin" role could perform an "edit" function. An easy non-jaas approach is to simply let the developer of the client hard code logic into the application, looking up a role and then allowing it.. ie...
if ( loggedInUser.hasRole("AMDIN") ) {
//allow him to call editSomething()
}
The above might be an ok approach, but the developers want to use JAAS and call:
So the question now comes up as to where to store the allowable Permissions for user roles.
Let's assume we want to use a policy file. Obviously for this approach to work, we'd have to make sure the application comes installed with a custom file policy that declares all the role permissions. We also have to make sure the user can't modify this file, for if he could, he could grant himself "AllPermissions." We also have to make sure there is no way that the user can start up the application passing in his own policy file as an arg and bypassing our policy file. We also have to make sure he can't disable using a SecurityManager. For example, we'd be in trouble if we only relied on an editable startup script that passed in the args for the securityManager and the policy file (since the user could just remove or replace them as they wish.)
Here's the overall approach I ended up with....
1) Do not rely on any security args being passed in to start your application.
2) Create a policy file and bundle it in your jar. The policy should grant AllPermissions. (Considering the client is
trusting you application to install on the machine, this isn't that big of a deal.)
3) Create your config file that declares your Login module and bundle that in your jar as well.
4) Create your own Permission class to handle what you want to authorize.
5) Create your own Policy class or your own Security Manager to work with the Permsission class you created. If you create your own Policy you won't need
to rely on a policy file and can ensure that your
test in the implies method of the Policy file really checks for Permssions that you can manually give to the user/codeSource. (Without a custom Policy or SecurityManager, there might be a hole where somehow the user managed to pass a policy file that granted AllPermissions.
We only have our policy file (with AllPermissions) around just so that we can pass through any Permissions we don't care about to be handled by the default Policy.
6) Load your policy and config files from your jar and then initialize your Policy and the default or custom SecurityManager (in this example I'm showing a custom Policy and using the default SecurityManager). I do this in a static block. It should be in a class that first gets loaded. This is nice also since it also forces a SecurityManager to be used - and doesn't rely on passing in the securityManager arg by command line.
My Policy looks something like...
[ August 16, 2007: Message edited by: Rick Reumann ]