Re: [JBoss-user] JAAS & JBossSX vs Application Security
Theoretically yes, practially I don't know. You do need to have a Subject with its associated Principals to create a Subject based permission context using the Subject.doAs() or equivalent. - Original Message - From: "Jason Dillon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 23, 2001 11:58 AM Subject: Re: [JBoss-user] JAAS & JBossSX vs Application Security > Ok, then does it make sense to rely on JAAS for all of the security aspects > of a system, or is the technology not mature enough yet? > > Specifically can it be used to limit access to methods or individual > resources (such as a file or a database record marked with some identifier) > based on a single user login point? Or will the application have to > maintain some extra login state to achieve this level of security? > > --jason > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS & JBossSX vs Application Security
Ok, then does it make sense to rely on JAAS for all of the security aspects of a system, or is the technology not mature enough yet? Specifically can it be used to limit access to methods or individual resources (such as a file or a database record marked with some identifier) based on a single user login point? Or will the application have to maintain some extra login state to achieve this level of security? --jason On Wed, 23 May 2001, Scott M Stark wrote: > Reliance on static files is not a requirement; its simply the default mode. In > the JBossSX codebase is an example custom javax.security.auth.Policy > implementation that obtains permission info from a IAppPolicyStore which > could be a database, ldap server, etc. The prototype uses an xml file. > > JNDI cannot be secured via JAAS currently simply because it does not > make any permission checks. A future version of jnp will support secured > access via subject based permissions. > > - Original Message - > From: "Jason Dillon" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, May 22, 2001 6:13 PM > Subject: [JBoss-user] JAAS & JBossSX vs Application Security > > > > Hello, I am trying to figure out what the *best* approach is for adding > > robust security to a highly distributed JMX/EJB/JMS application. I have > > just looked over the docs about JAAS as well as the JBossSX guide and I > > still do not have a good feel for what is the correct approach for what I > > am trying to do. > > > > JAAS looks like it follows the basic Java 2 security model, which relies on a > > static file to list who has access to what, which seems a little odd since > > in most cases the 'who' is probably listed somewhere in a database, so I am > > a little confused by there examples. > > > > Currently we perform the authentication ourselves, via an ejb call that > > returns a session bean that represents what that user can do. This has some > > obvious issues, like if the user just tried to lookup an object which they > > are not supposed to directly instead of going through the gateway. > > > > It looks like JAAS/JBossSX might solve, this forcing the user to login > > first, but it is unclear how that would solve all of the access problems > > that might occur. > > > > Say User A created a file "user_a_private_stuff" via the FileManager bean, > > how would I prevent User B from logging in, creating a FM bean then reading > > that file? > > > > Can the security framework be used to replace most (if not all) other > > aspects of security, such as forcing users through a gateway "access > > manager" bean? > > > > Can it be used to grant/limit access to fine grained resources based on > > principal or credentials retrieved from a database lookup (via an entity > > bean)? > > > > Is there any way to limit access via JNDI by this method? > > > > Does anyone know of any detailed documentation/examples of non-trivial > > security implementations (like users with a set of permissions, application > > code that can check for a given permission or set of permissions as well as > > the identity of a user before executing an action, and storing all of that > > information in a database). > > > > Or perhaps there is a way to use session beans similar to a servlet session > > to store this data... I just don't know. =( > > > > Any help would be appreciated. > > > > --jason > > > > > > ___ > > JBoss-user mailing list > > [EMAIL PROTECTED] > > http://lists.sourceforge.net/lists/listinfo/jboss-user > > > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JAAS & JBossSX vs Application Security
Reliance on static files is not a requirement; its simply the default mode. In the JBossSX codebase is an example custom javax.security.auth.Policy implementation that obtains permission info from a IAppPolicyStore which could be a database, ldap server, etc. The prototype uses an xml file. JNDI cannot be secured via JAAS currently simply because it does not make any permission checks. A future version of jnp will support secured access via subject based permissions. - Original Message - From: "Jason Dillon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, May 22, 2001 6:13 PM Subject: [JBoss-user] JAAS & JBossSX vs Application Security > Hello, I am trying to figure out what the *best* approach is for adding > robust security to a highly distributed JMX/EJB/JMS application. I have > just looked over the docs about JAAS as well as the JBossSX guide and I > still do not have a good feel for what is the correct approach for what I > am trying to do. > > JAAS looks like it follows the basic Java 2 security model, which relies on a > static file to list who has access to what, which seems a little odd since > in most cases the 'who' is probably listed somewhere in a database, so I am > a little confused by there examples. > > Currently we perform the authentication ourselves, via an ejb call that > returns a session bean that represents what that user can do. This has some > obvious issues, like if the user just tried to lookup an object which they > are not supposed to directly instead of going through the gateway. > > It looks like JAAS/JBossSX might solve, this forcing the user to login > first, but it is unclear how that would solve all of the access problems > that might occur. > > Say User A created a file "user_a_private_stuff" via the FileManager bean, > how would I prevent User B from logging in, creating a FM bean then reading > that file? > > Can the security framework be used to replace most (if not all) other > aspects of security, such as forcing users through a gateway "access > manager" bean? > > Can it be used to grant/limit access to fine grained resources based on > principal or credentials retrieved from a database lookup (via an entity > bean)? > > Is there any way to limit access via JNDI by this method? > > Does anyone know of any detailed documentation/examples of non-trivial > security implementations (like users with a set of permissions, application > code that can check for a given permission or set of permissions as well as > the identity of a user before executing an action, and storing all of that > information in a database). > > Or perhaps there is a way to use session beans similar to a servlet session > to store this data... I just don't know. =( > > Any help would be appreciated. > > --jason > > > ___ > JBoss-user mailing list > [EMAIL PROTECTED] > http://lists.sourceforge.net/lists/listinfo/jboss-user > ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] JAAS & JBossSX vs Application Security
Hello, I am trying to figure out what the *best* approach is for adding robust security to a highly distributed JMX/EJB/JMS application. I have just looked over the docs about JAAS as well as the JBossSX guide and I still do not have a good feel for what is the correct approach for what I am trying to do. JAAS looks like it follows the basic Java 2 security model, which relies on a static file to list who has access to what, which seems a little odd since in most cases the 'who' is probably listed somewhere in a database, so I am a little confused by there examples. Currently we perform the authentication ourselves, via an ejb call that returns a session bean that represents what that user can do. This has some obvious issues, like if the user just tried to lookup an object which they are not supposed to directly instead of going through the gateway. It looks like JAAS/JBossSX might solve, this forcing the user to login first, but it is unclear how that would solve all of the access problems that might occur. Say User A created a file "user_a_private_stuff" via the FileManager bean, how would I prevent User B from logging in, creating a FM bean then reading that file? Can the security framework be used to replace most (if not all) other aspects of security, such as forcing users through a gateway "access manager" bean? Can it be used to grant/limit access to fine grained resources based on principal or credentials retrieved from a database lookup (via an entity bean)? Is there any way to limit access via JNDI by this method? Does anyone know of any detailed documentation/examples of non-trivial security implementations (like users with a set of permissions, application code that can check for a given permission or set of permissions as well as the identity of a user before executing an action, and storing all of that information in a database). Or perhaps there is a way to use session beans similar to a servlet session to store this data... I just don't know. =( Any help would be appreciated. --jason ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
