1. Merlin's Kernel is pretty limited, and not really worth adding any security > features, since the same can basically be done by the java.security.policy > file.
2. The interesting parts lies in the possibility to assign grants to 'components' > instead of codebases 3. Next step is to make a facility which provides the JAAS style subject level > security For a customer, I developed a security service that incorporated security in kernel (a factory would decide whether to start in security mode or not). This secure kernel is build on JAAS, also both codebase and subject as the secure kernel at boot reads the policy file (say from a database or a ldap) and replaces the policy for the entire JVM. Furthermore, I developed an extended security manager that could provide addon features like method permission (similar to EJB declarative method permission) etc. One point I learnt from this project is that the underlying "components" may have a different security model than the kernel. Not only the authorization model may be different, but also each component may want to use a different authenticator. Based on that experience, I got the idea that a cascading security model should be provided, in which each component has its own security model that cannot violate the security constraints imposed by its surrounding container. The other thing I learnt was not to differentiate/favourize codesource with subject. After all, security is about WWW (Where codesource, Who subject, What guarded resource). Regarding "assign grants to 'components' instead of codebases", I would think you can solve it by a special purpose classloader. When a component is loaded by the classloader, simply assign the component its own codoesource, that is different from its physical codesource. A similar approach is taken in Sun's J2EE 1.3 reference application server. Best Regards -- Nader Aeinehchi Aasenhagen 66 E 2020 Skedsmokorset NORWAY Direct and Mobile +47 41 44 29 57 Tel (private): +47 64 83 09 08 Fax +47 64 83 08 07 www.aeinehchi.com ----- Original Message ----- From: "Niclas Hedhman" <[EMAIL PROTECTED]> To: "Avalon Developers List" <[EMAIL PROTECTED]> Sent: Saturday, April 03, 2004 12:46 PM Subject: Re: Secure Kernel in Merlin > On Saturday 03 April 2004 18:22, Nader Aeinehchi wrote: > > In many systems I have looked at, a kernel typically starts several > > containers which in turn may start other containers/applications. > > Merlin's Kernel is pretty limited, and not really worth adding any security > features, since the same can basically be done by the java.security.policy > file. > > The interesting parts lies in the possibility to assign grants to 'components' > instead of codebases, as they may share the codebase, i.e. permissions for > the same codebase is given depending how it is 'mounted' in the application > hierarchy. > > That is what we are trying to solve now. > > Next step is to make a facility which provides the JAAS style subject level > security. > I have a rough cut on how that would work in my head, but nothing written > down. > > Niclas > -- > +---------//-------------------+ > | http://www.bali.ac | > | http://niclas.hedhman.org | > +------//----------------------+ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
