Specifying fine-grained MBean security in the MBean descriptor

 

To implement fine-grained administrative security, your code must identify the resource instance that the managed bean (MBean) represents and assign the user the required role for that instance of the resource. This topic discusses what to do to identify the resource and assign the required role. This topic also discusses how to make an MBean method run under a different user identity so that the method can access other resource instances. Lastly, this topic discusses how to check if an MBean method has access to a resource instance by using programmatic interfaces. This task assumes a basic familiarity with MBean programming. For information on MBean programming, see MBean Java application programming interface (API) documentation.

 

Overview

Perform the following task to ensure that an MBean or MBean method is protected. Identify the resource instance that the MBean or MBean method represents and assign required roles to access the MBean. Perform this task during the development of the MBean.

 

Procedure

1. Determine the resource instance that the MBean represents and the required roles to invoke the MBean methods.

   Every MBean method has a default MBean security policy. When the MBean method uses the default security policy, the resource instance that the MBean represents is assumed to be the server in which the MBean runs. If an MBean or MBean method represents a resource instance other than the server on which it runs, perform the following steps:

   1. Identify the resource instance that the MBean represents.

      • If an MBean, such as the Server MBean, accesses and modifies the server in which the MBean runs, do not specify a security policy to verify that the user invoking the MBean is granted access to the server because the default security policy is in force. In most cases, you use an MBean to access and modify the server.

      • If an MBean that runs inside a server can access and modify resources that do not directly belong to the server, check if the user invoking the MBean is granted access to the instance of the resource before allowing the MBean method to run.

        In most cases, identify the resource instance by identifying the key-value pair in the object name of the MBean that represents the resource instance. The resourceIndentifierKey attribute defines the key.

        For example, you can use the EJBModule MBean to access an Enterprise JavaBeans (EJB) module within an application that runs inside the server. In this case, the object name of the EJBModule MBean contains a key-value pair. The key is Application. The value represents the resource instance that the EJBModule MBean tries to access. The user that invokes this MBean method is verified to make sure that access is granted to this instance of the application before allowing the MBean method to run. The following example shows how to describe the fine-grained administrative security for the EJBModule type of MBean in the MBean descriptor:

        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
        <MBean type="EJBModule" j2eeType="EJBModule"
          version="5.0"
          platform="dynamicproxy"
          resourceIdentifierKey="Application"
          resourceType="Application"
          deployerMBean="true"
          description="Management interface for the EJBModule component.">
        

      • If you can determine the resource that the MBean accesses before the MBean is invoked, but you cannot use the MBean object name to determine the resource instance that the MBean accesses, use parameters that are passed to the MBean instead.

        Identify the MBean method parameter name with a parameter value that represents the resource instance. Mark the corresponding parameter metadata in the MBean descriptor as the resource identifier. To mark a parameter as the resource identifier, add the resourceType attribute. The attribute specifies the type resource that the parameter value contains. When the resourceType attribute is present for any MBean method parameter, the parameter value determines the resource instance that the MBean method represents.

        For example, one instance of the ApplicationManager MBean runs in each server. The same MBean can be used to start and stop all the applications in the server. The start and stop methods of this MBean each take the application name as a parameter. They use the parameter to determine the instance of the application that this MBean method tries to access. The following example shows how to describe the fine-grained administrative security for this type of MBean in the MBean descriptor:

        <operation
            description="Start Application"
            impact="ACTION" name="startApplication" role="operation"
            targetObjectType="objectReference" type="void" proxyInvokeType="spray">
            <signature>
             <parameter description="Application Name" resourceType="Application"
                name="applicationName" type="java.lang.String"/>
            </signature>
        </operation>
        

      • If the resource that an MBean accesses cannot be determined until the MBean is invoked, check if the user invoking the MBean is granted access to the instance of the resource by using APIs.

        Mark the MBean or MBean method as excluded from access checking in the MBean descriptor by using the excludeAccessCheck attribute. When an MBean is marked as excluded from access checking, all its methods are also excluded from access checking.

        For example, the ConfigService MBean that runs in the deployment manager is used to configure all the resources within a cell. Exclude this MBean from access checking before invoking the MBean methods. Check that the ConfigService MBean is granted access to the configuration resource when the MBean attempts to access the resource. The following example shows how to describe the fine-grained administrative security for the ConfigServices type of MBean in the MBean descriptor:

        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
        <MBean
          version="5.0"
          platform="proxy"
            collaboratorClass="com.ibm.ws390.management.proxy.ConfigServiceManager"
          description="Config Service component provides service of  configuration related tasks on top of configuration repository service."
          type="ConfigService"
          excludeAccessCheck="true"
          configureMBean="true">
        

        Some statements are split on multiple lines for printing purposes. The following example shows how to invoke the MBean method logic to perform authorization checking programmatically:

        // Get administration authorizer.
        AdminAuthorizer aa = AdminAuthorizerFactory.getAdminAuthorizer();
        // Set the role that is required for this operation.
        String role = com.ibm.ws.security.util.Constants.CONFIG_ROLE;
        // Set the resource name.
        // cells/cellName is optional.
        String resource = "/nodes/"+ nodeName + /servers/" + serverName;
        // Check access  if ( aa != null && !aa.checkAccess(resource, role) )
           // Disallow access. 
           else
              // Allow access.
        

   2. Assign required roles for the MBean and MBean methods.

      The required roles are automatically assigned, based on the type of MBean and the impact of the MBean method, as described in the topic on the default MBean security policy.

2. Specify delegation mode.

   In some cases, after performing the initial access check, the MBean method might need to run under a different user identity so that it can access other resource instances. For example the syncNode operation in the CellSync MBean grants the user the operator role to the instance of the node being synchronized. The syncNode operation tries to access resources under the cell scope. The user might not have access to open files under the cell directory. The MBean must run as System after the initial access check so that the operation completes without any access denied problems.

   Set the runAs attribute to System to specify delegation mode for an MBean or MBean method. When you set the runAs attribute for an MBean, the value applies to all MBean methods for that MBean. The following example shows how to describe fine-grained administrative security for the CellSync type of MBean in the MBean descriptor.

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
   <MBean type="CellSync"
     version="5.0.1"
     platform="common"
     runAs="System"
     description="Management interface for the configuration synchronization logic performed at the central deployment manager for the cell.">
   <operation
       description="Initiate a synchronization request for a given node" impact="ACTION"
       name="syncNode" role="operation" targetObjectType="objectReference" type="ja va.lang.Boolean">
   <signature>
   <parameter resourceType="Node"
    description="The name of the node"
    name="nodeName" type="java.lang.String"/>
   </signature>
   </operation>
   

 

Results

You have determined the type of resource a given MBean method is accessing and performed the necessary access check so that WAS can allow access to the resource.

---

Administrative security
Default MBean security policy