An user may need to make access control stacks pluggable for a particular component.
You can continue to configure your security domain name in jboss.xml (ejb) or jboss-web.xml (web) deployment descriptors. But there are multiple ways to configure your authorization modules that govern your web and/or ejb components.
1) Change the default authorization policy for all web/ejb components. You can do that by changing the "jboss-web-policy" and "jboss-ejb-policy" in deploy/security/security-policies-jboss-beans.xml
An example is here:
http://anonsvn.jboss.org/repos/jbossas/trunk/testsuite/src/resources/test-configs/jacc/deploy/security/security-policies-jboss-beans.xml
If you want to retain the normal authorization stack (do not care about JACC, XACML or custom authorization), then make no change and stop reading this blog entry. :)
2) You wish to change the authorization stack for a particular component. Lets say, test.war which has a security domain of "test-domain".
To configure JACC as the authorization stack, either in conf/login-config.xml or in a separate test-war-jboss-beans.xml (the file name should be xxx-jboss-beans.xml where xxx can be anything you desire), define the following.
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
<authorization>
<policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/>
</authorization>
</application-policy>
<application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain2" extends="other">
<authorization>
<policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="required"/>
</authorization>
</application-policy>
</deployment>
What we have done here is that we have defined "test-domain" to have JACC and test-domain2 to have the same authentication modules as "other" but we have used XACML as the access control stack.
FAQ:
1) What happens when some security domains do not define any authorization modules?
A. In this case, the authorization modules defined in "jboss-web-policy" or "jboss-ejb-policy" in deploy/security/security-policies-jboss-beans.xml kick in.
2) Can I stack access control modes for a particular security domain?
A. Yes, you can use the JAAS way of stacking the authorization modules and also use the flag required,requisite,sufficient, optional} to influence the final decision.
<application-policy xmlns="urn:jboss:security-beans:1.0" name="some-domain">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "unauthenticatedIdentity">anonymous</module-option>
<module-option name="usersProperties">u.properties</module-option>
<module-option name="rolesProperties">r.properties</module-option>
</login-module>
</authentication>
<authorization>
<policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/>
<policy-module code="org.jboss.security.authorization.modules.XACMLAuthorizationModule" flag="optional"/>
</authorization>
</application-policy>
3) What about other components such as Messaging, JCA etc?
A. Patience. We will get there eventually. JACC is not defined for other components. While you can use XACML or write your own custom authorization provider, we have not yet provided the pluggable access control feature for components other than web and ejb. We will get there.
4) I would like to write my own authorization provider. What do I do?
A. What you need to write is a policy module such as the ones we have.
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-jboss-sx/tags/2.0.2.SP3/jbosssx/src/main/java/org/jboss/security/authorization/modules/
5) I know that authentication is not tied to any layer such as web, ejb etc; but authorization is always tied to the type of component we are guarding. Your examples do not show it.
A. We respect your smartness. You should start contributing to JBoss Security. We have the concept of delegates within the authorization modules. You can do something like this:
<?xml version="1.0" encoding="UTF-8"?>
<deployment xmlns="urn:jboss:bean-deployer:2.0">
<application-policy xmlns="urn:jboss:security-beans:1.0" name="test-domain2" extends="other">
<authorization>
<policy-module code="xxx.yyy.MyAwesomeAuthorizationModule" flag="required">
<module-option name="delegateMap">web=xxxx.yy.mywebauthorizationdelegate,ejb=xxxx.yy.myejbauthorizationdelegate</module-option>
</policy-module>
</authorization>
</application-policy>
</deployment>
Remember, that your delegates need to be a subclass of AuthorizationModuleDelegate.
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-jboss-sx/tags/2.0.2.SP3/jbosssx/src/main/java/org/jboss/security/authorization/modules/AuthorizationModuleDelegate.java
Examples are:
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-jboss-sx/tags/2.0.2.SP3/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java
http://anonsvn.jboss.org/repos/jbossas/projects/security/security-jboss-sx/tags/2.0.2.SP3/jbosssx/src/main/java/org/jboss/security/authorization/modules/web/WebJACCPolicyModuleDelegate.java
Read the post here: http://anil-identity.blogspot.com/2008/12/as5-pluggable-access-control-ejbweb.html
No comments:
Post a Comment