(Hope it's OK if I continue the meeting discussion offline)
IS guys please correct me if I am wrong, but I think, JAAS “kind of”
already has what we discussed (in addition to the normal code base level
protection [1]). Maybe JAAS is not intended to be used that way. But I just
want to point out the overlapping.
Eg:
Granting permission to a (hierarchical) resource for a user or a user group
using JAAS
grant principal "manu" {
permission java.io.TopicPermission "jms:/sports/football", "publish,
delete";
};
grant principal "iot-team-user-group" {
permission java.io.FilePermission "${carbon.home}${/}devices${/}*",
"read";
};
But the problem is,
1.
We only know “/sports/football” string at run time so we can’t put that
in policy file. I don’t know enough JAAS to say we can’t set that
dynamically.
2.
The principal “manu” is also dynamic
3.
I am not sure we can ask the JAAS system to list the permissions granted
for a given user (principal).
*Conclusion*
It seems like model we discussed is conceptually similar to JAAS but with
more dynamic and flexible implementation. It’ll be better, if we can
actually use JAAS for all of it, not just codebase part of it. But not sure
JAAS is flexible enough.
[1] grant codebase "org.wso2.kernel.jar", signedby "customer-a" {
permission ServerPermission "shutdown";
};
--
With regards,
*Manu*ranga Perera.
phone : 071 7 70 20 50
mail : [email protected]
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
