Authorizing access requests
This section explains how access requests are handled by Security Verify Access authorization Java classes. The Security Verify Access authorization Java classes are built around JAAS and the Java 2 security model. The Security Verify Access API closely follows the Java 2 permission model. For more information on the Java 2 security model, see: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html.
The Security Verify Access authorization API Java classes provide a permission class named com.tivoli.pd.jazn.PDPermission . This class extends the abstract class com.ibm.IBMPermission, which extends the abstract class java.security.Permission. The PDPermission class establishes the SSL-protected socket communications protocol which is used to talk to Security Verify Access.
Create an entry in the JAAS policy file to ensure the JAAS security code calls the implies() method in the PDPermission class described here. We can specify the entry based on a particular codebase as required
Define your JAAS policy in its own file and specify the URL in the java.security file using the property auth.policy.url.X (where X is an integer). For example:
auth.policy.url.1=file:${java.home}/lib/security/jaas.policy
Alternatively, we can use the Java interpreter -D flag to specify the JAAS policy file. For example:
java -Dauth.policy.url.1=file:/opt/PolicyDirector/etc/jaas.policy
We can specify the JAAS policy directly in the java.policy file found in java_home/lib/security.
grant signedBy “xxx” codeBase “file:/E:/Program Files/aaa/bbb/ccc” principal com.tivoli.pd.jazn.PDPrincipal “*” { permission com.tivoli.pd.jazn.PDPermission “ignoreme” "a"; };
The contents of the action string ignoreme are unimportant because the PDPermission class ignores them. This is because Security Verify Access acts as the repository for security policy. The intent of this entry is to have the Java security code call the implies() method when a resource manager checks to see if a permission is held. The PDPermission class implements constructors and supporting methods, including:
The implies() method flow consists of the following steps:
- implies()
- Checks whether Security Verify Access grants the specified permissions.
- equals()
- Determines if two PDPermission objects are equal.
- getActions()
- Returns the canonical string representation of the actions.
- hashCode()
- Returns the hash code value for the object.
The following sample illustrates how a resource manager, such as a Web server or Enterprise JavaBeans container, places the Subject on the current thread of execution.
- Use the static getSubject() method to retrieve the current Subject → Subject that was created by the PDLoginModule class, and placed on the current thread of execution by the resource manager.
- If the Subject contains a Principal of type com.tivoli.pd.jazn.PDPrincipal, then the appropriate credentials are secured for the call to Security Verify Access.
Subject.doAs(whoami, new java.security.PrivilegedAction() { public java.lang.Object run() {}});
At this point the PDPermission class has all the information required to make the authorization call to Security Verify Access. The following code sample shows a typical authorization check that invokes Security Verify Access through the PDPermission class implementation. The checkPermission() method returns quietly unless it fails, in which case it throws a java.lang.SecurityException.
PDPermission perm = new PDPermission(“/MyResourceManager/private”, “[simple]rT[newActionGroup1]Z”); SecurityManager.checkPermission(perm);
Parent topic: Java Authentication and Authorization Service (JAAS) model