We should move this to the dev list :-)
Sorry for the delay, I wrote up some info on JACC at http://
cwiki.apache.org/confluence/display/GMOxDEV/JACC+Guide
I'll try to work on it some more and see if I can figure out how to
link it from the dev wiki page.
I don't know of much other info about JACC except the spec which is
IMO a bit confusing about who does what.
On Dec 2, 2006, at 9:40 PM, Diego L Espiñeira wrote:
I guess I have to implement/extend the following interfaces/classes
- org.apache.geronimo.j2ee.deployment.SecurityBuilder
- javax.security.jacc.PolicyConfiguration
- javax.security.jacc.PolicyConfigurationFactory
- java.security.Principal
Is that right? Just what you did with all that TripleSec stuff, right?
Well, now I need to know how this classes are suppose to fit together.
I need any explanation i.e. "class A calls B when C happens", etc.
I think you might want to try extending the geronimo default
provider, I think you will have less to do.
When the authorization info gets updated?
How do I make the "SecurityProxy" read additional configuration
such as
where to get the permissions and roles from (DBMS, XML, webservice,
etc).
After thinking about this for just a few minutes, I think I'd go
about this like so:
1. use java 5 :-)
2. Modify PolicyConfigurationGeneric to include a map <Class,
PermissionsHandler>, and if the regular check passes, confinue by
looking for a handler for the class of the permission, and asking the
handler as well. So we'd have something like
interface PermissionsHandler {
boolean implies(Permission permission, Principal[] principals);
}
The permissionsHandler can look for the ejb object, method args, etc
from PolicyContext itself. (PermissionsHandler is probably a really
bad name)
3. Write a GBean to configure and install a PermissionsHandler into a
PolicyConfigurationGeneric for a specific policyContextID. This
GBean can configure the PermissionsHandler any way it wants.
4. Modify the GeronimoSecurityBuilderImpl to install instances of
your gbeans based on xml in a modified geronimo-security-1.2.xsd
I think my proposed PermissionsHandler can do anything the jboss
SecurityProxy can do, although it is going to use the
EJBMethodPermission.getActions() string to index which method is
involved rather than the Method object itself.
I might have left out a lot of essential functionality, so this might
not actually work :-). It might be a starting point though.
Please keep in touch with your progress, and keep asking questions!
thanks
david jencks
On Sun, 2006-12-03 at 00:32 -0300, Diego L Espiñeira wrote:
Hi
It would be such an honor to participate.
The case is I don't have much information about the JACC API and
specification neither about how is this implemented in geronimo.
I just need that information to get the job done.
Thanks for your reply
On Sat, 2006-12-02 at 17:08 -0800, David Jencks wrote:
The SecurityProxy is a JBoss proprietary feature that Geronimo
doesn't support. At the moment we don't have anything directly
comparable implemented.
Starting with j2ee 1.4 the "official" way to implement security
dependent on the ejb method calls is to do it in a JACC
provider. In
a JACC provider you can use the ejb method call in the determination
of whether to grant an ejb permission to a caller. I suspect we
could write a JACC provider that delegated to something like the
JBoss SecurityProxy. When considering this before I was thinking
more in terms of a rule engine, but certainly just writing code is
simpler :-)
Would you be interested in working on an implementation of this?
I'm
interested but currently short of time, but I'd be happy to discuss
how to do it with you.
thanks
david jencks
On Dec 2, 2006, at 10:39 AM, Diego L Espiñeira wrote:
Hi!
I'm in the process to migrate to Geronimo an application originally
build for JBoss.
This application uses custom EJB security through implementing the
org.jboss.security.SecurityProxy interface. How could this be done
with
Geronimo. The reasons I've approached this issue that way and
not the
facade bean using isUserInRole are the tight integration with the
application server architecture and that of this way I can write
neat
and more maintainable code.
PD: sorry, my English sucks.
Thanks in advance.
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrà tu cuenta ya! - http://correo.yahoo.com.ar
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam gratis!
Abr tu cuenta ya! - http://correo.yahoo.com.ar
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
