Menu
▾
▴
[Jboss-dev-forums] [Design of Security on JBoss] - Re: Generalizing the JACC service
|
From: mholzner <do-...@jb...> - 2005-11-01 19:18:02
|
and just when you think it's all working .... I followed your advice , and everything seemed to work. Now I started to work on redeployment issues and discovered that things derail on re deployment. I investigated a bit more and here is what I found: 1) if the mbean descriptor entries are in the jboss?service.xml in the portal sar, everything works as expected: there is one DelegatingPolicy instance that was created by the DelegatinPolicy mbean entry, and it is available to all the right places. Policy.getPolicy() returns it, and the PolicyConfigurationFactory uses it as well the issue here is that when I redeploy the sar , the mbean entry for the Delegating policy creates a new instance, and now the Policy.getPolicy() returns the new instance, and the PolicyConfigurationFactory still has the old instance, hence the Policy.implies() fails since it checks against the wrong DelegatingPolicy instance 2) if I take the mbean descriptor entries out of the sar into a separate file that I place into the deploy folder (I tried security?service.xml and jboss?service.xml) then the security service's start() method gets called much later then in 1), or at least appears to be, and as a result the AbstractWebDeployer kicks in before the DelegatingPolicy mbean , and has already a DelegatingPolicy installed by the time the DelegatingPolicy mbean gets a chance (this instance of the DelegatingPolicy doesn't know of the external permissions since it was not created via the DelegatingPolicy mbean entry, but rather via the JBossPolicyConfigurationFactory's constructor). As a result of that, the Policy.implies() check fails since the policy doesn't consider the PortalObjectPermission as a jaccPermission and hence delegates to the J2SE Policy to do the check. here are the mbean entries: | <mbean | code="org.jboss.security.jacc.DelegatingPolicy" | name="jboss.security:service=JaccPolicyProvider" | xmbean-dd=""> | <xmbean> | <attribute access="read?only" getMethod="getPolicyProxy"> | <description>The java.security.Policy implementation</description> | <name>PolicyProxy</name> | <type>java.security.Policy</type> | </attribute> | <attribute access="read?write" getMethod="getExternalPermissionTypes" setMethod="setExternalPermissionTypes"> | <description>The types of non?javax.security.jacc permissions to validate against this policy</description> | <name>ExternalPermissionTypes</name> | <type>[Ljava.lang.Class;</type> | </attribute> | <operation> | <name>listContextPolicies</name> | <return-type>java.lang.String</return-type> | </operation> | </xmbean> | <attribute name="ExternalPermissionTypes">org.jboss.portal.core.security.jacc.PortalObjectPermission</attribute> | </mbean> | <mbean | code="org.jboss.security.jacc.SecurityService" | name="jboss.security:service=JaccSecurityService" | xmbean-dd=""> | <xmbean> | <descriptors> | <injection id="MBeanServerType" setMethod="setMBeanServer"/> | <injection id="ObjectNameType" setMethod="setObjectName"/> | </descriptors> | <attribute access="read-write" getMethod="getPolicyName" setMethod="setPolicyName"> | <description>The policy provider MBean name</description> | <name>PolicyName</name> | <type>javax.management.ObjectName</type> | </attribute> | <attribute access="read-write" getMethod="getPolicyAttributeName" | setMethod="setPolicyAttributeName"> | <description>The Policy attribute name on the PolicyName MBean</description> | <name>PolicyAttributeName</name> | <type>java.lang.String</type> | </attribute> | <operation> | <name>start</name> | </operation> | <operation> | <name>stop</name> | </operation> | </xmbean> | <attribute name="PolicyName">jboss.security:service=JaccPolicyProvider</attribute> | <attribute name="PolicyAttributeName">PolicyProxy</attribute> | </mbean> | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3904701#3904701 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3904701 |
