I have created a beautiful database-driven implementation of jaas based on
this book http://www.jaasbook.com/ that includes a custom implementation of:
javax.security.auth.callback.CallbackHandler for input login info
javax.security.auth.login.Configuration for database based loginmodule
aggregation
javax.security.auth.spi.LoginModule
java.security.Policy permissions retrieved from database
java.security.BasicPermission for testing
When i start the program (i'm actually using the http service so i'm setting
this up in the HttServlet.init function) i setup the config and policy:
Configuration.setConfiguration(*new* xConfig());
Policy.setPolicy(*new* xPolicy());
System.setSecurityManager(*new* SecurityManager());
and then try to login:
xHandler handler = *new* xHandler();
LoginContext context = *new* LoginContext("app", handler);
context.login();
Everything works to this point, but when i try to do a test check.
Subject subject = context.getSubject();
Subject.doAsPrivileged(
subject,
*new* PrivilegedAction() {
*public* Object run() {
// Both tested
//
java.security.AccessController.checkPermission(new
xPermission("xname", "xaction"));
System.getSecurityManager().checkPermission(*new*
xPermission("xname", "xaction"));
*return* *null*;
}
},
*null*);
Nothing happens, the xPermission implementation ALWAYS returns false from
the implies() function but the thing never throws the expected
SecurityException/AccessControlException. Doing some debug to the process i
got to the Policy.implies(domain, permission) function where i call the
Policy.getPermissions(domain) to get the permissions collection and the
permissions.implies(permission) to do the actual check, the returned
permissions collection contains: 1.- The actual permissions granted to the
principals belonging to the authenticated user OR AllPermissions IF the
domain passed to the getPermissions function doesnt have a Principal (to
allow everything that doesnt have to do with my custom checks). But somehow
the Policy.implies function is checking twice the SAME permission using two
different domains: one is my bundle domain com.mycompany.mybundle and the
other is the org.eclipse.osgi bundle. The problem is that somehow the first
attempt with my domain (which everytime returns false) doesnt throw de
AccessControlException until the second attempt with the osgi domain. The
worst thing is that it looks like that the osgi domain attempt is the only
one that counts, because if i probe for the osgi domain and return false
then the exception is thrown no matter if the last time a true or false were
returned. This appears to happens ONLY in the osgi environment because if i
test this in a plain java main programm everything works as expected, any
clues? Thanks.
_______________________________________________
equinox-dev mailing list
[email protected]
https://dev.eclipse.org/mailman/listinfo/equinox-dev
