Why excluded permissions?

Mon, 21 Apr 2008 15:50:19 -0700

I've been wondering about why javaee and jacc talk so much about excluded permissions. My first thought was that excluded or denied permissions are something people like to think about, so expanded the idea to a hierarchical rbac system in my triplesec prototype. However this makes it more or less impossible to figure out what is granted to someone -- AFAICT you have to go through the entire role hierarchy to correctly evaluate if someone has a permission since it could be denied by one more general permission or granted by another incomparable more general permission. I think this requirement to evaluate permissions at multiple levels would be too slow to be practicable.
So, my next thought was that since we know what the permissions are for javaee (web permissions and ejb permissions) why not simply do the calculations of what permissions are left when we deny the excluded permissions right in the deployer, and only grant the resulting permissions. 


For web permissions this is especially easy to do since AFAICT except  
for removing permissions that are granted and identical to excluded  
permissions, the algorithm for computing the granted permissions from  
the deployment descriptor already prevents any excluded permission  
from being granted.  I did notice one bizarre feature of the  
algorithm, which is that adding an excluded permission can grant  
permissions that otherwise would not be granted.  Basically if /Foo/*  
is granted to role Admin, then Foo/Bar/Baz is only available to  
Admin.  However if you add an exclusion for /Foo/Bar/* with http  
method PUT say then that grants an unchecked permission to /Foo/Bar/*  
for all http methods other than PUT.  Greg Wilkins is discussing with  
the servlet EG wether this is really what is intended: it is also  
pretty clearly a feature of the algorithm described in the servlet spec.



For ejb permissions this is marginally more complicated.  What I've  
done is for any granted permission that intersects with any excluded  
permissions, to replace the granted permission with the individual  
permissions that are equivalent to it, removing any implied by any  
excluded permission.



AFAICT these changes don't cause any problems.  I've opened  
GERONIMO-3964 to track this and committed my changes in rev 650304.


Comments would be extremely welcome.

thanks
david jencks















    











					Reply via email to