Re: [JBoss-user] Access control

[danch (Dan Christopherson)]

[EMAIL PROTECTED] wrote:

> On Thu, Jun 28, 2001 at 03:47:30AM -0700, Konstantin Priblouda wrote:
> 
>>>First, is there an easy explanation of the
>>>difference between groups
>>>and roles?
>>>
>>Role is an permission to do something. If I say, 
>>that role "admin" is required to call this method,
>>only authenticated user holding role "admin" will be
>>allowed to proceed. 
>>
> 
> I understood roles. Sorry for not being clear about that. What I
> didn't get was the significance of groups. The document I read stated
> that roles are on an application level while groups are on an
> application server level - I didn't quite see the purpose of the
> groups.
> 


The reasoning behind many of the layers of indirection in J2EE specdom 
becomes more clear when you remember the various roles that the specs 
discuss. In this case, consider the Enterprise Bean Provider vs. the 
Assembler and Deployer roles.

The provider will write beans that solve certain business problems, but 
doesn't neccessarily know what environment they'll be deployed in. He 
defines a set of Roles that allow him to declaritively define basic 
permissions on the methods of the beans. Suppose he's writing an HR 
application. He may define an 'Administrator' role who can see all 
employees compensation information (not something you want all users to 
do!). There are may also be screens that allow a user to see their own 
vacation days, aniversity date, etc., requiring a normal 'User' role.

Suppose this application is then sold to a company who want to roll it 
out so that salaried employees can access the self-service stuff. 
Suppose that they elect to use application server services to map this 
application's security to their Windows NT domain. The application 
assembler will have to map the roles that the EJBs define to some group 
in that domain. Suppose she maps the 'Administrator' role to the 
existing 'HR' group and creates a new 'Salaried' group to map into the 
'User' role. Now the deployer can take this application (with this 
mapping) and role it out against the appropriate database, etc. and the 
security will match (roughly at least) the needs of the company who 
bought the application.

Also, consider that there may be multiple applications deployed on the 
same server, and that many might define an 'Administrator' role that 
needs to refer to completely different people. For example, a bug 
tracking application running on the same server might define an 
'Administrator' role which provides access to bug assignment funtions. 
Obviously, this can't be mapped to the HR group as above, perhaps it 
would be mapped to an 'IS Managers' group.

hope this has helped,
-danch

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access control

[Konstantin Priblouda]

 
> I understood roles. Sorry for not being clear about
> that. What I
> didn't get was the significance of groups. The
> document I read stated
> that roles are on an application level while groups
> are on an
> application server level - I didn't quite see the
> purpose of the
> groups.

I do not see it either :)
Only place where  I seen groups were login modules,
where thy are used to manage assigned roles. 

But I can think of group as of kind of role
( i.e. unix group "users" would be role "users" )


regards,

=
Konstantin Priblouda ( ko5tik )Freelance Software developer
< http://www.pribluda.de > < play java games -> http://www.yook.de >
< render charts online -> http://www.pribluda.de/povray/ >

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access control

[bcd]

On Thu, Jun 28, 2001 at 03:47:30AM -0700, Konstantin Priblouda wrote:
> 
> > First, is there an easy explanation of the
> > difference between groups
> > and roles?
> 
> Role is an permission to do something. If I say, 
> that role "admin" is required to call this method,
> only authenticated user holding role "admin" will be
> allowed to proceed. 

I understood roles. Sorry for not being clear about that. What I
didn't get was the significance of groups. The document I read stated
that roles are on an application level while groups are on an
application server level - I didn't quite see the purpose of the
groups.

Cheers
Bent D
-- 
Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
powered by emacs

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access control

[bcd]

On Thu, Jun 28, 2001 at 11:25:04AM +0100, Dan - Blue Lotus Software wrote:
> Why not simply make a session bean with two methods...getRecord() and
> getRecord(User user)...or something like that.
> 
> The first method signature would only retrieve data for the currently logged
> in user.  The second one would allow data to be retrieved for a different
> user.
> 
> You then could restrict access to the second method, so that only people in
> the "admin" role had access to it.
> 
> You could leave the first method wide open, security-wise.
> 
> In the end, you don't have to implement any special security, and the
> role-based security of J2EE would take care of everything.

This does sound useful for providing admin capabilities. It still
leaves me with implementing the security in the wide open method
though. I need to make sure my searches actually _do_ restrict results
to the current user. What I want is another, redundant mechanism that
also ensures this. In case I do a mistake in implementing the
searches, I want it to be caught by an underlying security mechanism.

Cheers
Bent D
-- 
Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
powered by emacs

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access control

[bcd]

On Wed, Jun 27, 2001 at 09:25:56PM -0400, Allen fogleson wrote:
> it would just be a mess if you had to have method permissions for separate
> users, and not very dynamic at all. thats what roles are for.

What I would have liked is a method in entity beans called
checkAccess() that would be called after data is loaded for the entity
bean. There I could do my security checking (typically checking
against a security coloumn I have added) and if I return false, an
appropriate security exception would be thrown and the contents of the
entity bean would not be made available to the current context.

checkAccess would typically be called only when the bean determines it
needs to load the data (for lazy loading) so the calling code would
need to either catch the security exception and skip that bean, or it
could be lazy and just abort (i.e., let it go to the next outer
layer).

I would still implement my searches so that I never _do_ get data I am
not supposed to, but I would like this level of redundancy to be
absolutely sure nobody gets information they shouldn't get. Getting
security exceptions would therefore in most cases be the result of
either a bug or of lazy programming. I still think it would be an
important addition.

I might be able to use ejbLoad() and/or ejbPostCreate() for this, but
I have yet to investigate how feasible this is.

Cheers
Bent D
-- 
Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
powered by emacs

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

RE: [JBoss-user] Access control

[Konstantin Priblouda]

> First, is there an easy explanation of the
> difference between groups
> and roles?

Role is an permission to do something. If I say, 
that role "admin" is required to call this method,
only authenticated user holding role "admin" will be
allowed to proceed. 


> Secondly, it doesn't seem to help me in the generic
> problem of wanting
> to restrict access to certain database records.
> Basically, I have paul
> and harry, both possessing the "customer" role. Paul
> should be able to
> browse his own orders but not Harry's. I take it I
> am left to
> implement this bit of secuity myself, in the lookups
> that I do?

Besides role there is also concept of "principal" - 
this is identity of authenticated user. This identity
object can be anything you like, but mostly it would
contain method to get user name or some kind of ID. 

Session or entity context of the bean (remember this
method setEntityContext()? ) gives you 2 methods:
one to get principal of user, and another
to ask whether currently authenticated user has given
role ( consult javadoc on it )

Principal creation and role mapping happen in your
login module ( if you use JAAS based security in jboss
). 

regards,

=
Konstantin Priblouda ( ko5tik )Freelance Software developer
< http://www.pribluda.de > < play java games -> http://www.yook.de >
< render charts online -> http://www.pribluda.de/povray/ >

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

RE: [JBoss-user] Access control

[Dan - Blue Lotus Software]

Why not simply make a session bean with two methods...getRecord() and
getRecord(User user)...or something like that.

The first method signature would only retrieve data for the currently logged
in user.  The second one would allow data to be retrieved for a different
user.

You then could restrict access to the second method, so that only people in
the "admin" role had access to it.

You could leave the first method wide open, security-wise.

In the end, you don't have to implement any special security, and the
role-based security of J2EE would take care of everything.

-dan

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, June 27, 2001 9:23 PM
To: jboss
Subject: [JBoss-user] Access control


It appears as if J2EE's use of JAAS gives me some control over which
users can use which methods in which beans. However, I have a couple
of concerns;

First, is there an easy explanation of the difference between groups
and roles?

Secondly, it doesn't seem to help me in the generic problem of wanting
to restrict access to certain database records. Basically, I have paul
and harry, both possessing the "customer" role. Paul should be able to
browse his own orders but not Harry's. I take it I am left to
implement this bit of secuity myself, in the lookups that I do?

Cheers
Bent D
--
Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
powered by emacs

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access control

[Allen fogleson]

it would just be a mess if you had to have method permissions for separate
users, and not very dynamic at all. thats what roles are for.


- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 27, 2001 8:48 PM
Subject: Re: [JBoss-user] Access control


> On Wed, Jun 27, 2001 at 07:02:05PM -0400, Allen fogleson wrote:
> > fortunately yes.
>
> Why is this fortunate?
>
> Cheers
> Bent D
> --
> Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
> powered by emacs
>
> ___
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access control

[bcd]

On Wed, Jun 27, 2001 at 07:02:05PM -0400, Allen fogleson wrote:
> fortunately yes. 

Why is this fortunate?

Cheers
Bent D
-- 
Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
powered by emacs

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access control

[Allen fogleson]

fortunately yes. 

Al

- Original Message - 
From: <[EMAIL PROTECTED]>
To: jboss <[EMAIL PROTECTED]>
Sent: Wednesday, June 27, 2001 4:23 PM
Subject: [JBoss-user] Access control


> It appears as if J2EE's use of JAAS gives me some control over which
> users can use which methods in which beans. However, I have a couple
> of concerns;
> 
> First, is there an easy explanation of the difference between groups
> and roles?
> 
> Secondly, it doesn't seem to help me in the generic problem of wanting
> to restrict access to certain database records. Basically, I have paul
> and harry, both possessing the "customer" role. Paul should be able to
> browse his own orders but not Harry's. I take it I am left to
> implement this bit of secuity myself, in the lookups that I do?
> 
> Cheers
> Bent D
> -- 
> Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
> powered by emacs
> 
> ___
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] Access control

[bcd]

It appears as if J2EE's use of JAAS gives me some control over which
users can use which methods in which beans. However, I have a couple
of concerns;

First, is there an easy explanation of the difference between groups
and roles?

Secondly, it doesn't seem to help me in the generic problem of wanting
to restrict access to certain database records. Basically, I have paul
and harry, both possessing the "customer" role. Paul should be able to
browse his own orders but not Harry's. I take it I am left to
implement this bit of secuity myself, in the lookups that I do?

Cheers
Bent D
-- 
Bent Dalager - [EMAIL PROTECTED] - http://www.pvv.org/~bcd
powered by emacs

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access Control Problem

[Scott M Stark]

The server.policy is only for the JBoss server, not clients.

- Original Message - 
From: "Michael Hustler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 08, 2001 1:22 PM
Subject: RE: [JBoss-user] Access Control Problem


> That helped - thanks!  Using the debug=all I found that the .java.policy
> file could not be found in my unix home directory or in the java rje
> directory.  I created a .java.policy file in my home directory which was
> identical to the server.policy file below.
> 
> Why was the server.policy file not used?  When running on NT, I don't
> remember having to define a .java.policy file.
> 
> thanks in advance.
> 
> m.
> 



___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

RE: [JBoss-user] Access Control Problem

[Michael Hustler]

That helped - thanks!  Using the debug=all I found that the .java.policy
file could not be found in my unix home directory or in the java rje
directory.  I created a .java.policy file in my home directory which was
identical to the server.policy file below.

Why was the server.policy file not used?  When running on NT, I don't
remember having to define a .java.policy file.

thanks in advance.

m.

-Original Message-
From: Scott M Stark [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 08, 2001 11:53 AM
To: [EMAIL PROTECTED]
Subject: Re: [JBoss-user] Access Control Problem


Add -Djava.security.debug=all to the command line and make sure you
redirect the output to a file as you will get a ton of security debugging
that
will tell you what policy files are loaded, etc.

- Original Message - 
From: "Michael Hustler" <[EMAIL PROTECTED]>
To: "Jboss (E-mail)" <[EMAIL PROTECTED]>
Sent: Tuesday, May 08, 2001 10:20 AM
Subject: [JBoss-user] Access Control Problem


> Hi, I'm having problems with the access control during a get or set
> Properties call.
> My server.policy file looks like:
> 
> grant {
> // Allow everything for now
> permission java.security.AllPermission;
> };
> 
> But I don't think it is being read.  Is there a way to verify this?
> The exception trace is bellow.
> 
> Exception in thread "main" java.security.AccessControlException: access
> denied (java.util.PropertyPermission * read,write)
> at
>
java.security.AccessControlContext.checkPermission(AccessControlContext.java
> , Compiled Code)
> at
> java.security.AccessController.checkPermission(AccessController.java,
> Compiled Code)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java,
> Compiled Code)
> at
> java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java,
> Compiled Code)
> at java.lang.System.getProperties(System.java, Compiled Code)
> at TestBmpClient.main(TestBmpClient.java, Compiled Code)
> 
> Thanks!
> mike.
> 
> 
> ___
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
> 


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

Re: [JBoss-user] Access Control Problem

[Scott M Stark]

Add -Djava.security.debug=all to the command line and make sure you
redirect the output to a file as you will get a ton of security debugging that
will tell you what policy files are loaded, etc.

- Original Message - 
From: "Michael Hustler" <[EMAIL PROTECTED]>
To: "Jboss (E-mail)" <[EMAIL PROTECTED]>
Sent: Tuesday, May 08, 2001 10:20 AM
Subject: [JBoss-user] Access Control Problem


> Hi, I'm having problems with the access control during a get or set
> Properties call.
> My server.policy file looks like:
> 
> grant {
> // Allow everything for now
> permission java.security.AllPermission;
> };
> 
> But I don't think it is being read.  Is there a way to verify this?
> The exception trace is bellow.
> 
> Exception in thread "main" java.security.AccessControlException: access
> denied (java.util.PropertyPermission * read,write)
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java
> , Compiled Code)
> at
> java.security.AccessController.checkPermission(AccessController.java,
> Compiled Code)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java,
> Compiled Code)
> at
> java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java,
> Compiled Code)
> at java.lang.System.getProperties(System.java, Compiled Code)
> at TestBmpClient.main(TestBmpClient.java, Compiled Code)
> 
> Thanks!
> mike.
> 
> 
> ___
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
> 


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] Access Control Problem

[Michael Hustler]

Hi, I'm having problems with the access control during a get or set
Properties call.
My server.policy file looks like:

grant {
// Allow everything for now
permission java.security.AllPermission;
};

But I don't think it is being read.  Is there a way to verify this?
The exception trace is bellow.

Exception in thread "main" java.security.AccessControlException: access
denied (java.util.PropertyPermission * read,write)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
, Compiled Code)
at
java.security.AccessController.checkPermission(AccessController.java,
Compiled Code)
at java.lang.SecurityManager.checkPermission(SecurityManager.java,
Compiled Code)
at
java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java,
Compiled Code)
at java.lang.System.getProperties(System.java, Compiled Code)
at TestBmpClient.main(TestBmpClient.java, Compiled Code)

Thanks!
mike.


___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user