aspose file tools*
The moose likes Security and the fly likes Need help-Authorization Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Need help-Authorization" Watch "Need help-Authorization" New topic
Author

Need help-Authorization

J Abraham
Ranch Hand

Joined: Jun 25, 2004
Posts: 101
Hi,

I want to create a method to authorize a role for accessing forms in a desktop application.Method name is authorize(String actions).i need to check the permissions for the actions that i'm getting from other class. i have to compare the role and actions against that in the policy file. i need to make sure that the role has the necessary permissions to access those forms.

Also i'm stuck up in the folowing code.

permissionColection.implies(new PropertyPermission("name","action"));
What does name and action denotes ? Can i assign jar name or class name to "action" ??


Attaching the code:

import java.io.File;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.CodeSource;
import java.security.PermissionCollection;
import java.security.Policy;
import java.util.PropertyPermission;

public class ClientSecurityManager extends Policy
{

static String userRole;
public ClientSecurityManager()
{

}

/*
* Authenticate the user and stores the role in memory.
*/
public boolean authenticate(String userName,String password)
{
//Calls method of Jazn for doing authentication.
//return the boolean value as the result of authentication and role.
//userRole = role;
return true;
}

public boolean authorize(String action)
{

String action1 = " ";
URL codebase = null;

try {

//Get permissions for a directory
codebase = new File("action1").toURL();


} catch(MalformedURLException e) {
}

// Construct a code source with the code base
CodeSource cs = new CodeSource(codebase,null);

PermissionCollection pcoll = Policy.getPolicy().getPermissions(cs);
boolean permissionStatus = pcoll.implies(new PropertyPermission("name","action") );

return true;
}

public void refresh() {

}

public PermissionCollection getPermissions(CodeSource cs) {

PermissionCollection permissionCollection = null;

permissionCollection.add(new PropertyPermission("name","action"));


return permissionCollection;
}

}

I hope i could get some idea from you javaranchers....


<b>J Abraham</b>
SCJP5,SCWCD1.4
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

If you are using JAAS for authorization then you should use subject.doAs() instead of doing that in the code yourself by getting the policy et al.
However, answering your question:
The name is the name of the permission and the action is the set of actions you want to check the authorization for. As an example you must have a entry in the java policy file (present in <jre_root>/lib/security/java.policy) as follows:


// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
permission java.util.PropertyPermission "java.specification.version", "read";
};

Here java.specification.version is the name and "read" is the action.
Hope this helps.

You can follow this link
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/tutorials/GeneralAcnAndAzn.html


apigee, a better way to API!
J Abraham
Ranch Hand

Joined: Jun 25, 2004
Posts: 101
Hi Nitesh,

Thanks for the quick reply. In my case i'm doing the authentication using Oracle's Jazn(Jaas Provider). i'm not using JAAS for authentication. so how can i use Subject in my authorize method? also i am stuck how to retrieve the principle(role) from the policy file.I will get the jar file/class file which is used to access that form. I need to check whether this jar file/class file i'm getting has the necessary permission and they are accessing by the right principal(role).i will get the principal(role)stored in the static memory. Do you have any idea about checking that with the policy file?
[ February 28, 2007: Message edited by: Jibin Abraham ]
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

As far as i understand, you do not get the subject as a whole but you get the principals(Sorry, i dont know much about Oracle's Jazn).
So, you can create a new read-only subject of your own having the required principals.

Now, you have two problems:

1) How to check whether the jar file has the required permissions. So, you need to find out as to what permissions you are looking for (name and action as specified in the java policy file) and follow the same as you wrote in the code sample that you posted.
2) How to check whether the principal has the permission to access the jar file. This can be done by using Subject.doAsPriviliged(<subject you created>, <a priviliged action trying to access the jar using an input stream>, null). Passing null as the access control context(last argument) will ensure that permissions are checked only for the subject that you are passing. For this in the policy file you should specify a java.io.FilePermission with the path of the jar and action as read for this principal.

Hope the above helps.
It is difficult to put the whole code here. Probably if you go through the sun tutorials you will get a hang of the above.
J Abraham
Ranch Hand

Joined: Jun 25, 2004
Posts: 101
Thanks for the reply.

i tried with Subject.doAsPrivileged .....

i have a doubt regarding final checking of permission.

boolean permissionStatus = permissionCollection.implies(new PropertyPermission("name","action")

Here i'm confused about the type of permission... whether it is PropertyPermission or FilePermission or other type of permission. Also i'm confused about what to include in the argument of the permission constructor.???
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

Here i'm confused about the type of permission... whether it is PropertyPermission or FilePermission or other type of permission.

The type of permission should match with the permission type specified in the policy file.

I think in your case you have to create your own permission and use the same in the policy file as well as the code.

Follow the following post for samples:

Authorization using JAAS
J Abraham
Ranch Hand

Joined: Jun 25, 2004
Posts: 101
Nitesh,

In my case i'm getting role(principal) after authentication, form name(it may be a class) as i'm using a desktop application. i just want to check the permission by checking policy file. the arguments are role and the name of class. but i need boolean value as return. would the code that you have posted work in my case.
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

The AccessController.checkPermission() will throw a java.security.AccessControlException if the permission is not present for the subject. You can catch the exception and then take any action that you want.
I think you should create a permission taking a form name and the action.
Use this permission while checking and also while specifying in the policy file.
In the policy file you can specify all the actions allowed for a subject and at runtime you can check for one of the actions.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Need help-Authorization