Part II of JAAS and functional security

Java
Max Rydahl Andersen

Hmm.....since the last time I posted, I've got one comment and I've searched even more around the 'net about JAAS and authorization (NOT authentication) and I've got a bit wiser ;)

The best thing first: JAAS authentication is well documented.

The second best thing: JAAS basic authorization is documented, but the documentation and implementation is not very usefull in context of an enterprise level role and policy based security mechanism. Basic problem: the default policy is file-based (hint: non-manageble when we are talking 1000 users) and concentrates about Classes, ProtectionDomains and CodeSource.

The third best thing: I can find small pieces of docs around the net indicating that it should be possible to use JAAS (instead of yet-another-security-framework) to implement a full scale enterprise security - but that I already knew, just can't seem to find any reallife examples about it - just small-time tutorials and references to big-bucks systems that noone seem to use (or at least, they don't write about it anywhere - except on the big-bucks company's website ;)

So, where are those systems and docs that describes how they use JAAS to implement enterprise level security ?
(And no, big-bucks alternative solutions is not a viable solution! It should be 100% JAAS based, I don't want to "import com.ibm.security.SpecialPolicyOrPermissionSystem" in my code - the only thing I want is "import javax.security.*" :)
If that's possible it is ok if it's a big-bucks implementation - I just want to see an example of JAAS applied instead of simple toy examples ;)

Note: The configuration and Policy implementation may of course use the big-bucks implementation, but they should conform to the JAAS API - nothing more should be needed. So, do you got any ?

whoops - almost forgot to list my "Good JAAS links"-list:

IBM article that is the only article I could find showing how to properly extend JAAS to perform functional and instance based authorization (e.g. "Any registered (authenticated) user can create an auction but only the user who created the auction may modify it." kind of permissions)

JavaGeeks article, examples and critique on how the default implementation of Policy works.

Another IBM slideshow, that Matt gave me in his comment. Among other good stuff it describes more precisly (almost mathematically) how the permissions works etc. A good read.

Comments

matt.

You need to do 2 things. First the current Thread needs to be running as the Subject whose Permissions you want to check. You can achieve this via the Subject.doAs() method.



Secondly, you will need to call out to the AccessController.checkPermission() method as that Subject.



I agree, it is poorly documented. The best tutorial I have found is actually an old O'Reilly conference presentation: http://www.research.ibm.com...

Distiller

I've written a JAAS system for my current contract. IMO you need to implement you're own Policy subclass to do it properly. This is because the standard policy file based implementation isn't very useful because of it's static nature. Then you can do whatever you want. I've implemented the getPermissions abstract method to return a collection of custom permissions from the db. Within the permissions, you can do whatever you like.

xam

And there isn't "tricky" situations regarding having the OwnPolicy integrate well with the default policy implementation ?



Can you show the highlights of the implementation or is to secret ? ;)

Distiller

You need to override the default policy by making a call to javax.auth.Policy.setPolicy, or set this via a java.security property ( I prefer the former because it means that you can deploy without changing vm parameters).



I must say that there is some fiddling around so that some of the default protection domains don't interfere with your policy. This is achieved by creating a new AccessControlContext with a SubjectDomainController inside it when you execute priveleged actions. You can do without this step, but I had some problems with the code-based policy interfering with it. There are also situations where your domains get lost because parts of the system get called within another context i.e. logging into a system is called back by the LoginContext in a different protection domain, and so it is not possible to check permissions from here. You might think this is unnecessary, but in the system I built, I don't really have the concept of an anonymous user, but rather a guest user that has it's own set of credentials / permissions. And a guest has permission to log into certain systems.



IMO the whole authorisation part of it is a bit flakey and takes a lot of experimenting to determine exactly how it's meant to work, because as you said, it's not documented that well (if at all).

Les

In most servlet or J2EE books (or even tomcat documentation) you will find the Realm portion documented pretty well. This will let you define multiple roles per principle. It does, however, leave it up to you how you validate those roles against your functionality. However, it is pretty easy to create a role to function table in the database. (BTW, there are DataSourceRealms and JDBCRealms that come with most app servers - even tomcat). So, you should be able to keep all of your data there.



I didn't read your first entry...but, I hope that this helps with this one.

xam

Les, that is all fine and dandy - and that all relates to <b>authentication</b> which is more or less straight forward.



The problem is that I need <b>non-basic authorization</b>, meaning that a simple "isInRole()" call is NOT enough!



I need something like .checkPermission(new MedicatePermission("department X", "patient Y", "drug Z", "10 o'clock")); which should dynamically check up against the current state of the system wether the current Subject is allowed to perform a medication on department X, regarding Patient Y with the Drug Z at 10 o'clock. This is not very easy to do with any realm or policy implementation I've seen.



But thanks for your comments anyway ;)

Les

OK...well here is what I am missing. Are you looking for something in JAAS that provides the .checkPermission method for you?? If so, you won't find it. I think that the most you can expect from JAAS is who am I and what are my roles (you can, btw, get all of the roles for the current user). So, you have to write your framework that can take a MedicatePermission Object and determine if the current user's roles (as currently in the database) are sufficient. It shouldn't be too hard to write.



EJB does provide you with method level role association, but I think this is a very narrow security model. I do think that OpenSymphony has an entitlement engine (OSAccess, I think). It may do more of what you want.



Anyway, my point is that JAAS will do authentication, but it only does part of the authorization. The rest is pretty much custom. I think that this is because JAAS was designed with EJB. So, it was not until later that it became it's own framework. As a result, half of it is in JAAS and half in EJB...for what it's worth. :)



Anyway, check out OSAccess and let me know if it is useful (I havn't looked at it much).

matt

xam - you have it correct. You will need to implement your MedicatePermission Permission but everything else is provided for you. Sun even provides a GUI to create your own policy files (although only the JDK 1.4.x versions are aware of Prinicpals).



If the default PolicyFile implementation isn't good enough, you can implement a Policy class that hits a database. I did one recently that updates itself every 30 minutes. A more elegant solution might be a Policy that subscribes to JMS Topic to be notified of policy updates.



By the way, I have always felt that the call to java.security.AccessController.checkPermission(Permission) and the Subject.doAs stuff just begged to be done as XDoclet tags. Then you could have something like



/**


* @security require com.me.MedicatePermission


*/


public void medicate(){


morphine++


}



Nice clean code. Declarative security. This is how .NET does it.

Les

xam - is what matt gives an example of what you want?? From what I gathered you wanted something dynamic, not declarative (per the .net example above). If that is what you want, ignore all of my previous comments because clearly I had it wrong. I thought that you wanted a credential check that's results could vary both on the role of the user and the underlying state of the functional or data components. Is this corrent? In other words, .checkPermisions(new MedicatePermission("morphine"....) == true if current nurse is certified, there is a heart specialist on duty, the patient has only had x amount, etc. If this is the case you should also really look at a rules engine. Since it sounds like this is as much business logic as it is security.

xampub

Great comments ;)



Les first: Yes, i'm well aware that JAAS won't "deduce"/"calculate" wether the current actually got the permisson or not. For that I'll need my own Policy/Permission implementation based on either code, magic, rules or whatever. But I really like the JAAS API, it has all the correct ingredients, and i'm basically just looking for documentation on how to implement such a best without interfeering (or rather how to integrate it) with the default implememntation/behavior.



And Matt: Yes, the policytool is there, but it does not scale well and the declaritive security in .net/J2EE just seems way to simple for my needs. I can for the life of me not see how I can based on just a simple role e.g. "nurse" can declare that she is not allowed to call "medicate()" ......because she can, if she has been given the right permissions - and that the timing/data is correct.......



But thanks for the comments - I now know that I'm on the right "path" I just need to find (or try to make a full example my own) of a good Policy/Permission set that can integrate well with JAAS, J2EE et.al. without to much pain for me as a programmer and "they" as customers ;)

Distiller

I've missed some of this debate, but bascially I agree with what Matt said. You need to implement your own Permission subclasses to do the checking. In the system I wrote, I have two (main) sections where I apply permission checking:



* when executing struts actions


* when creating system events



I think it's best doing it at a higher level, rather than checking in each method, although there may be some special cases where this is necessary. For the struts case, I implemented my on request processor that created permisions based on values set via properties in the struts-config.xml file. That is better than explicitly checking them in methods, because it isn't hidden in code and other developers can apply different permission checking depending on the usage of the code. This of course creates an opportunity for security holes, but you can apply "not-allowed-by-default" policy to remedie this, so if it fails, then it fails to disallow ( much better than the alternative). With the event system, I use the Interceptor pattern to check access to events.



The problem with "role-based" security is that it's not fine-grained enough and can only be implemented statically and don't model the real world that well. In my experience it is much better to create a "capabilities-based" model and then build a collection of capabilities based on the user's roles ( a subtle but important difference, because roles are only used to group capabilities). The authorsation system in this case doesn't know anything about "roles" and only cares about permissions.

Les

OK -- yet more. I realize that you may know this....but well, I found it interesting. They previous link I posted shows you how to use the java.security infrastructure. However the <a href="http://java.sun.com/j2se/1.... docs</a> show you how to change the Policy impl. The policy file is represented in memory by (you guessed) an object. The default implementation uses the static policy files. However, you can implement the abstract class java.security.Policy yourself to read from the db or whereever to accomplish your dynamic permissions requirements.



Anyway, you are right, the more I have looked into it the more impressed I am with the design.

xampub

Thanx for the comments....i'll dwelve deeper and hopefully come out on the top and blog about the result ;)



But please keep any good suggestions and links coming in a steady flow if you got'em ;)



I'm still missing an real-life example of an working alternative Policy impl. ;)

xam

......and now I'm just wondering how one would use the Permission's to express the more complicated permission check I wrote about.



All the Permissions I see is only created with two arguments (name and actions), e.g. new FilePermission(""/tmp/abc", "read, write")



Should I limit my permissions to follow the same scheme or could I do something like this:


new MedicationPermission("x", "A", "1", "morphine","create");



or should I encode those parameters into the 2 part string ?



new MedicationPermission("[pat=x][dep=A][type=1][drug=morphine]", "create");



Any comments ? ;)

Shivajee.R.Sharma

HI Xam,



what you can do is implement your permission with two constructor one protected which takes all the argument you mentioned and another which is pulic and takes only name and action.



When AccessController is checking the permission. It will create a permission with your public constructor and pass it the permission you have created in policy collection in it's implies method. you can typecast the permission into your Class and do whatever check you want based on the internal state of your permission.



only problem is you will also have to provide your own Policy implementation.



I am also working on the similar problem, i have managed to get authentication to group/role based permissions (users and groups defined in MySQL database), now i am writing PolicyDB which is an implementation of


Policy based on permissions defined in DB.



let me know you want to see my code of authentication, and i can give you authorization code once i complete it.

javaj

What if I want more sophistication with the way roles are handled. I want to group roles into capabilities and assign subjects/princples/users/whatever they are called to this capability (a group of roles). For example a manager has role - a,b,c,d&e. A developer has role d,e,f,g&h. when I create a manager instead of assigning him to 5 roles I assign him 1 capability & he gets linked to 5 roles. Then I shud be able to check from the app/code if he has role -'e'. I know this should be possible but how to go about doing this? Any pointers to this?

Jesse Houwing

I'm looking for something quite similar. In our system we'll have:



System, clients, projects and projectdata.



there are roles that apply Systemwide, clientwide or per project.



I read the IBM document and it does encapsulate most of th erequired functionality, but what I'm missing is the information that when replace the security policy file if all the system policies that you usually set in there need to conform the new format, because I was thinking of integrating all the permissions for te different roles into a database for easy management as well as the user-role-target relationships (eg user(john)-role(admin)-target(clienty\projectx).



I've looked everywhere but I'm slowly sinking in the quicksand surrounding this API, there is a little bit of info everywhere, but there seems to be no real useful reference.

Jesse Houwing

I've looked further into this and have come to th econclusion that at this moment there is no way I can implement this using JAAS in our current production environment.



Simply because every solution I've come up with that looks nice and includes both users/roles and object specific permissions involves writing and replecing the JVM side auth.policy.provider.



I did find a reference to an article on IBM's website that shows taht they're workign on improving the situetion:



http://www.research.ibm.com...



Jesse