Java Reference
In-Depth Information
■
Domain-based security revolves around granting code permissions based on its
origins (also referred to as its
code base
).
■
Role-based security revolves around authenticating users or processes and
granting them permissions based on who they are.
The
OSG
i framework security model relies on Java's domain-based approach; the role-
based approach is possible, but only as a layer on top. In standard Java, role-based
security is provided by the Java Authentication and Authorization Service (
JAAS
)
framework, but
OSG
i also provides its own
API
in the form of the User Admin Service.
We won't deal with role-based security in this chapter; for more information on the
User Admin Service, refer to the
OSG
i compendium specification. Now, let's delve a
little deeper into domain-based security.
PERMISSIONS
The Java permission model is fairly simple. The
Permission
class is a base class from
which more specific permissions can be derived via subclassing. You grant
Permission
objects to code to give it the ability to perform sensitive operations. Additionally, the
Permission
class has a method called
implies()
that accepts another
Permission
.
This method checks to see if the supplied permission is implied by the target permis-
sion (similar to being a subset). Thus,
Permission
objects are used to both grant and
check permissions.
PROTECTION DOMAINS
You grant permissions to code, but how are they associated with it? For domain-based
security, Java uses a special concept called a
protection domain
, which is represented by
the
java.security.ProtectionDomain
class, to encapsulate the security characteris-
tics of a domain. Permissions are granted to protection domains, and all classes
belong to a single protection domain. Sound complicated? Actually, in
OSG
i it's pretty
simple, because a domain is mapped one-to-one with a bundle; you can think of it as a
bundle protection domain. All classes originating from a given bundle are members
of the same bundle protection domain.
BUNDLE PROTECTION DOMAIN
Maintains a set of permissions granted to a given
bundle. All classes loaded from a bundle are associated with the bundle's pro-
tection domain, thus granting them the permissions granted to the bundle.
To u n d e r s t a n d h o w p r o t e c t i o n d o m a i n s e na b l e p e r m i s s i o n c h e c k i n g , c o n s i d e r c o d e
that performs a sensitive operation, such as creating a file. The code in the
JRE
for file
access performs security checks internally to make sure the invoking code has permis-
sion to perform the operation. Internally, the code associated with performing file sys-
tem operations triggers a specific permission check by using the security-checking
methods of
SecurityManager
or
AccessController
. When triggered, the
JVM
collects
the
ProtectionDomain
s of all classes on the call stack leading to the invocation of the
sensitive operation. It checks that each protection domain on the call stack has at least
one permission implying (granting) the specific permission being checked by the
method. Figure 14.1 shows how this looks in practice.