Define an explicit MBean security policy
We can explicitly define an MBean security policy for a particular MBean. Use this example to define an MBean security policy.
This task assumes a basic familiarity with MBean programming. For information on MBean programming, see MBean Java (API) documentation. In this information center, click Reference > Mbean interfaces.
Perform the following tasks to define an explicit security policy.
- Assume that we have an MBean defined by the MBean sample.xml descriptor file.
- Specify the explicit security policy for that MBean in the sampleSecurity.xml file. The naming convention is that you must append "Security" to the MBean descriptor file name as the name of the MBean security descriptor file.
- Place the security policy descriptor file at the same directory where the MBean security descriptor file is so that the MBean loader can find it. This directory is the typical location for the security policy descriptor file. If no MBean security descriptor file is present, the default MBean security policy is used.
- Specify the MBean name of sample in the resource element resource-name field of the sampleSecurity.xml file so that the MBean policy loader can associate the MBean security policy with the MBean. The MBean security descriptor definition is very similar to the security policy defined by the J2EE deployment descriptor.
Results
You now have an explicitly defined MBean security policy that we can run with an MBean.
Example
The following example describes the MBean security descriptor file format for the sampleSecurity.xml file.
Line 2 specifies that an MBean security descriptor schema is defined by the RolePermissionDescriptor.dtd file, which is a document type definition (DTD) in WebSphere Application Server.
As shown on line 3, each MBean descriptor file contains a single role-permission element. The administrative security role hierarchy is defined in the security-role elements between line 9 and line 37. The administrative security role has an inheritance relationship.
As defined on line 14 through 21, the operator security role implies the monitor security role, which means that a user with the operator role has all the permissions of the monitor role. As defined between line 30 and line 38, an administrator security role implies both the configurator and operator security role. Every MBean security descriptor file typically has the same role relationship definition so that we can cut and paste this section to the MBean security descriptor file.
One or more method-permission elements are defined after the security-role element. Each method-permission element defines the required roles for one or more methods. Specify method parameters to avoid method name collision in case multiple methods have the same name.
1. <?xml version="1.0" encoding="UTF-8"?> 2. <!DOCTYPE role-permission SYSTEM "RolePermissionDescriptor.dtd" > 3. <role-permission> 4. <resource> 5. <resource-name>sample</resource-name> 6. <class-name>com.ibm.ws.security.descriptor.sample</class-name> 7. <description>This is a sample for testing role permission descriptor.</description> 8. </resource> 9. <security-role> 10. <role> 11. <role-name>monitor</role-name> 12. </role> 13. </security-role> 14. <security-role> 15. <role> 16. <role-name>operator</role-name> 17. <imply> 18. <role-name>monitor</role-name> 19. </imply> 20. </role> 21. </security-role> 22. <security-role> 23. <role> 24. <role-name>configurator</role-name> 25. <imply> 26. <role-name>monitor</role-name> 27. </imply> 28. /role> 29. </security-role> 30. <security-role> 31. <role> 32. <role-name>administrator</role-name> 33. <imply> 34. <role-name>operator</role-name> 35. <role-name>configurator</role-name> 36. </imply> 37. </role> 38. </security-role> 39. <method-permission> 40. <description>Sample method permission table</description> 41. <role-name>operator</role-name> 42. <method> 43. <description>Sample operation</description> 44. <resource-name>sample</resource-name> 45. <method-name>stop</method-name> 46. </method> 47. </method-permission> 48. <method-permission> 49. <description>Sample method permission table</description> 50. <role-name>operator</role-name> 51. <method> 52. <description>Sample operation</description> 53. <resource-name>sample</resource-name> 54. <method-name>start</method-name> 55. <method-params> 56. <method-param>java.lang.String</method-param> 57. <method-param>java.lang.String</method-param> 58. </method-params> 59. </method> 60. </method-permission> 61. <method-permission> 62. <description>Sample method permission table</description> 63. <role-name>operator</role-name> 64. <method> 65. <description>Sample operation</description> 66. <resource-name>sample</resource-name> 67. <method-name>monitor</method-name> 68. <method-params> 69. </method-params> 70. </method> 71. </method-permission> 72. <method-permission> 73. <description>Sample method permission table</description> 74. <role-name>configurator</role-name> 75. <method> 76. <description>Sample operation</description> 77. <resource-name>sample</resource-name> 78. <method-name>setValue</method-name> 79. <method-params> 80. <method-param>java.lang.Boolean</method-param> 81. </method-params> 82. </method> 83. </method-permission> 84. <method-permission> 85. <description>Sample method permission table</description> 86. <role-name>monitor</role-name> 87. <method> 88. <description>Sample operation</description> 89. <resource-name>sample</resource-name> 90. <method-name>getValue</method-name> 91. </method> 92. </method-permission> 93. </role-permission>
Related concepts
Administrative security Default MBean security policy