Re: [jboss-dev-forums] [JBoss AS 7 Development] - Access control notes
by Brian Stansberry
Brian Stansberry [https://community.jboss.org/people/brian.stansberry] commented on the document
"Access control notes"
To view all comments on this document, visit: https://community.jboss.org/docs/DOC-48596#comment-11938
--------------------------------------------------
Thoughts on model-references. I'm going to outline different types of references, with suggestions for what rules could be enforced. What I'm getting at here is if we allow a more narrowly scoped variant of our standard roles (e.g. a person is an "Operator" but only for server-group "foo" or only for server host=x/server=y), how would those scoped permissions relate to other resources? Specifically for a given reference:
Referrer to referent:
a) does referrer need perms to validate existence of the referent?
b) do rights to the referrer grant rights to the referent? For example, ability to write to referrer grants right to write referent
Referent to referrer:
a) does user require perms to referrer to change referent?
b) do rights to the referent grant rights to the referrer? For example, ability to write to referent grants right to write referrer
The types of references I considered and the answers I have have for the above questions:
Misc references:
Example: ejb to ispn cache
Referrer to referent:
a) no
b) no
Referent to referrer:
a) no
b) no
References to secure resources:
Example: remoting connector to security domain cache
Referrer to referent:
a) yes
b) no
Referent to referrer:
a) no
b) no
Server group to profile:
Referrer to referent:
a) no
b) configurable (config for a server-group-scoped role could have a flag)
Referent to referrer:
a) yes
b) no
Server group to socket-binding-group:
Referrer to referent:
a) no
b) configurable
Referent to referrer:
a) yes
b) no
Server group to deployment:
Referrer to referent:
a) no
b) configurable
Referent to referrer:
a) yes
b) no
Server group to deployment-override:
Referrer to referent:
a) no
b) configurable
Referent to referrer:
a) yes
b) no
Server to server-group:
Referrer to referent:
a) no
b) no (give user rights to server-group if this is desired)
Referent to referrer:
a) no
b) no
Server to socket-binding-group:
Referrer to referent:
a) no
b) no
Referent to referrer:
a) no
b) no
I went through a bunch of different cases with the server-group and server ones, but for each type, the answers are the same.
--------------------------------------------------
11 years
[jBPM Development] - Problem to use JBPM on gwt project
by sahar mohebi
sahar mohebi [https://community.jboss.org/people/sahar_m] created the discussion
"Problem to use JBPM on gwt project"
To view the discussion, visit: https://community.jboss.org/message/809792#809792
--------------------------------------------------------------
Hi friends,
I am new on jbpm with many problems!!!
I want to use jbpm on my gwt project and mysql.
I get error when I want to create EntityManagerFactory:
avax.persistence.PersistenceException: PersistenceUnit: org.jbpm.persistence.jpa Unable to build EntityManagerFactory
at org.hibernate.ejb.Ejb3Configuration.buildEntityManagerFactory(Ejb3Configuration.java:677)
at org.hibernate.ejb.HibernatePersistence.createEntityManagerFactory(HibernatePersistence.java:126)
at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:51)
at javax.persistence.Persistence.createEntityManagerFactory(Persistence.java:33)
at com.ayriksoft.desktopapp.server.TaskServiceManager.getInstance(TaskServiceManager.java:319)
at com.ayriksoft.desktopapp.server.JBPMServiceImpl.setup(JBPMServiceImpl.java:116)
at com.ayriksoft.desktopapp.server.JBPMServiceImpl.initializeJbpmSession(JBPMServiceImpl.java:51)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:561)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:208)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:248)
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:393)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: org.hibernate.HibernateException: Could not obtain BTM transaction manager instance
at org.hibernate.transaction.BTMTransactionManagerLookup.getTransactionManager(BTMTransactionManagerLookup.java:50)
at org.hibernate.impl.SessionFactoryImpl.(BitronixTransactionManager.java:62)
... 45 more
Its my gwt service class:
public class JBPMServiceImpl extends RemoteServiceServlet implements JBPMService {
protected StatefulKnowledgeSession session;
private MockWorkItemHandler mockWorkItemHandler;
Map<Resource, ResourceType> resources;
TaskServiceManager tc;
@Override
public boolean initializeJbpmSession() {
try {
setup();
session = tc.getSession();//kbase.newStatefulKnowledgeSession();
KnowledgeRuntimeLoggerFactory.newConsoleLogger(session);
session.addEventListener(new DefaultAgendaEventListener() {
@Override
public void afterRuleFlowGroupActivated(org.drools.event.rule.RuleFlowGroupActivatedEvent event) {
session.fireAllRules();
}
});
session.addEventListener(new DefaultProcessEventListener() {
@Override
public void beforeProcessStarted(ProcessStartedEvent event) {
session.insert(event.getProcessInstance());
}
});
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
return true;
}
protected Map<Resource, ResourceType> getResources() {
try {
if (resources == null) {
resources = new HashMap<Resource, ResourceType>();
resources.put(ResourceFactory.newFileResource(System.getProperty("user.home") + "/V1/EmergencyBedRequestV1.bpmn"), ResourceType.BPMN2);
resources.put(ResourceFactory.newFileResource(System.getProperty("user.home") + "/V1/bedAssignmentV1.drl"), ResourceType.DRL);
}
} catch (Exception ex) {
ex.printStackTrace();
}
return resources;
}
public void setup() {
try {
tc=TaskServiceManager.getInstance();
// tc.startService();
session = tc.getSession();
tc.connect();
KnowledgeRuntimeLogger logger = KnowledgeRuntimeLoggerFactory.newThreadedFileLogger(session, "testlog", 1000);
CommandBasedWSHumanTaskHandler taskHandler = new CommandBasedWSHumanTaskHandler(session);
session.getWorkItemManager().registerWorkItemHandler("Human Task", taskHandler);
session.getWorkItemManager().registerWorkItemHandler("Notification System", taskHandler);
taskHandler.connect();
} catch (Exception ex) {
Logger.getLogger(JBPMServiceImpl.class.getName()).log(Level.SEVERE, null, ex);
ex.printStackTrace();
throw new RuntimeException("error while creating session", ex);
}
}
and Its my TaskServiceManager.java:
public class TaskServiceManager {
private static String ipAddress = "127.0.0.1";
//private static int port = 5445;
private static int port = 9123;
private static TaskClient client;
private static Map<String, List<String>> groupListMap = new HashMap();
private static StatefulKnowledgeSession ksession;
static TaskServiceManager instance = null;
static Thread thread;
private TaskServiceManager() {
}
public static TaskServiceManager getInstance() {
if (instance == null) {
instance = new TaskServiceManager();
EntityManagerFactory emf = Persistence.createEntityManagerFactory("org.jbpm.persistence.jpa");
TaskService taskService = new TaskService(emf, SystemEventListenerFactory.getSystemEventListener());
MinaTaskServer server = new MinaTaskServer(taskService);
Thread thread = new Thread(server);
thread.start();
}
return instance;
}
public void setConnection(String ipAddress, int port) {
ipAddress = ipAddress;
port = port;
}
public void connect() {
if (client == null) {
client = new TaskClient(new MinaTaskClientConnector("client 1",
new MinaTaskClientHandler(SystemEventListenerFactory.getSystemEventListener())));
client.connect("127.0.0.1", 9123);
boolean connected = client.connect(ipAddress, port);
if (!connected) {
throw new IllegalArgumentException(
"Could not connect task client");
}
}
}
public KnowledgeBase readKnowledgeBase(Map<Resource, ResourceType> resources)
throws Exception {
KnowledgeBuilder kbuilder = KnowledgeBuilderFactory.newKnowledgeBuilder();
for (Map.Entry<Resource, ResourceType> entry : this.getResources().entrySet()) {
kbuilder.add(entry.getKey(), entry.getValue());
}
if (kbuilder.hasErrors()) {
KnowledgeBuilderErrors errors = kbuilder.getErrors();
for (KnowledgeBuilderError error : errors) {
System.out.println(">>> Error:" + error.getMessage());
}
throw new IllegalStateException(">>> Knowledge couldn't be parsed! ");
}
KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase();
kbase.addKnowledgePackages(kbuilder.getKnowledgePackages());
return kbase;
}
public StatefulKnowledgeSession getSession()
throws Exception {
if (ksession == null) {
ksession = createSession();
}
return ksession;
}
public StatefulKnowledgeSession createSession()
throws Exception {
System.out.print("ok1");
KnowledgeBase kbase = readKnowledgeBase(getResources());
System.out.print("ok2");
EntityManagerFactory emf = Persistence.createEntityManagerFactory("org.jbpm.persistence.jpa");
System.out.print("ok3");
Environment env = KnowledgeBaseFactory.newEnvironment();
env.set("drools.persistence.jpa.EntityManagerFactory", emf);
env.set("drools.transaction.TransactionManager", TransactionManagerServices.getTransactionManager());
env.set("drools.Globals", new MapGlobalResolver());
//
Properties properties = new Properties();
properties.put("drools.processInstanceManagerFactory", "org.jbpm.persistence.processinstance.JPAProcessInstanceManagerFactory");
properties.put("drools.processSignalManagerFactory", "org.jbpm.persistence.processinstance.JPASignalManagerFactory");
KnowledgeSessionConfiguration config = KnowledgeBaseFactory.newKnowledgeSessionConfiguration(properties);
return JPAKnowledgeService.newStatefulKnowledgeSession(kbase , config, env);
}
static Map<Resource, ResourceType> resources;
static Map<Resource, ResourceType> getResources() {
try {
if (resources == null) {
resources = new HashMap<Resource, ResourceType>();
resources.put(ResourceFactory.newFileResource(System.getProperty("user.home") + "/V1/EmergencyBedRequestV1.bpmn"), ResourceType.BPMN2);
resources.put(ResourceFactory.newFileResource(System.getProperty("user.home") + "/V1/bedAssignmentV1.drl"), ResourceType.DRL);
}
} catch (Exception ex) {
ex.printStackTrace();
}
return resources;
}
}
and its my persistence.xml fil in META_INF:
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/809792#809792]
Start a new discussion in jBPM Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]
11 years
[JBoss AS 7 Development] - Access control notes
by Heiko Braun
Heiko Braun [https://community.jboss.org/people/heiko.braun] modified the document:
"Access control notes"
To view the document, visit: https://community.jboss.org/docs/DOC-48596
--------------------------------------------------------------
h1.
h1. Objective
By early September to implement a simplified domain management access control solution (administrative security) suitable for both AS 8 and EAP 6.x.
The primary objective is to establish a simple set of roles with which users can be associated, with clear sets of operation execution permissions associated with each role. The second critical objective is to develop an architecture for authorization that will allow for a much more generic/flexible authorization scheme to be implemented in future releases without breaking the simple scheme we do now.
Actually providing a generic scheme is out of scope for AS 8.
h1. Team and Timeline
Full time: Heiko Braun, Darran Lofthouse, Kabir Khan, Brian Stansberry
Available to assist as needed: Jason Greene, Anil Saldhana, subsystem leads
Design Phase I:
+ Lay out the fundamental architecture, identify the main requirements and intended approach for meeting each
+ 2 weeks
+ Completion allows some aspects of dev to begin (which, TBD)
+ Inability to get the stated time commitments from all participants delays completion by that amount of time
Design Phase II:
+ Design in detail some of the fundamental areas where either coordinated design is required or a sub-team needs to flesh out details
+ 2 weeks
Dev Phase:
+ 2.5 months
+ Achieve feature completion
+ See tasks below
++ need to assign resources and timelines to each task.
Dev Test Phase:
+ hardening period
+ 1 month
+ ends Sept 6
QE Phase:
+ begins following September 6 end of Dev Test Phase
h1. Tasks
h3. *General Tasks*
- Provide a security policy model, storage and API
- Provide the integration of the security policy model with (external) user registries
- Enable configuration of the security policy model and mapping to users
- Provide operations to retrieve security meta data and/or todo pre-flight authorisation checks
- Enforce permissions in core management compoments (mapping of policies against resources)
- Respect permissions in web console (GUI should be aware and respect the policies: i.e. suppression of interaction units)
- Respect permissions in CLI (CLI should be aware and respect the policies: i.e: restriction of command line syntax)
- Provide methodologies and strategies to assure completeness of security policies and their enforcement
h3. *Component Breakdown*
h4. Core Management Components
*
*
interface to decision point
+ information about resource access request
+ information about user
+ other information about request (time of day, interface, etc)
misc op authorization
+ basic control over op execution
write-attribute/undefine-attribute authorization
add op authorization
+ trick here is cases where certain attributes can't be written
++ my instinct is to reject the add; no sophisticated rules
read-attribute authorization
read-resource authorization, output control to use response header to indicate content was filtered
configuration of our default decision point
user info configuration (what data to provide decision point, where to get it)
read-resource-access op (an op to learn about user's ability to use API; based on read-resource-description)
+ uses
++ general information
++ allow caller to disable features that will be non-functional (e.g. buttons for misc ops that are not available)
model-reference issues
+ general issue of resources in a tree being affected by other resources
+ server groups
++ user has rights to a resource that affects an SG, but not to the SG itself
+ hosts
++ similar issue
++ twist is host-specific config vs domain-wide config affecting server's on a host
+ others?
+ notion: enforce this at domain rollout time?
++ problem: what about an admin-only HC situation? -- no rollout
Configuration propagation
++ master HC to slave
JMX security
+ AS domains depend on core security, as they just delegate
++ provide some information about access mechanism
+ other mbeans
++ what policy?
++ what control point?
h4. Admin Console
+ the interface structure doesn't necessarily refelct the model structure
++ i.e. some coarse grained interface compoments rely on a number of resources across the model
+ distinction between interface structure (interaction units) and DMR payload
+ suppression of interaction units can only be done if the screens properly bootstrap from the model
++ relates to "read-resource-access"
++ currently not the case and a major change (intended first prototype for AS8)
+ distinction between logical entities and resource tree structure
++ i.e. /subsystem=datasources is resource tree structure
++ datasource=ExampleDS is a logical entity within the tree structure
++ makes a diference for address pattern matching...
+ do we support security constraints for logical entities? (can see datasource "Foo" but not datasource "Bar")
++ relates to "model-reference issues".
h4. CLI
+ basic handling of low-level (should be ok)
+ disable high-level commands in advance?
+ ls -- high-level equivalent to read-resource
h4. Misc:
sniffing for resources -- request a resource to learn it exists from the failure response
h2. Separation of Duty
|| *Role* || *Description* ||
| Monitor | The monitor role has the fewest permissions and restricts the user to viewing the
configuration and current state. |
| Configurator | The configurator role has the same permissions as the monitor role, and can change the configuration. For example, the configurator can deploy an application. |
| Operator | The operator role has monitor permissions and can change the runtime state. For example, the operator can start or stop services and servers |
| Administrator | The administrator role has the combined permissions of the operator and the configurator. This role has permission to access sensitive data, including passwords. The administrator role is the superuser of the Application Server. A user in this role can perform all tasks, except (if revoked) those tasks that are associated with the auditor role. |
| Deployer | The deployer role can perform both configuration actions and runtime operations on Applications. |
| Admin Security Manager | The admin security manager role separates administrative security administration from other application administration. This role implies a monitor role. However, an administrator role does not imply the admin security manager role. Only users who are assigned to this role can assign users to administrator roles. |
| Auditor | The auditor role can view and modify the configuration settings for the security auditing subsystem. The auditor role includes the monitor role, allowing the auditor to view but not change the rest of the security configuration. |
h2. Resource and Action Attributes
The following describes attributes required as inputs to a authorization mechanism, which that mechanism would use to enforce some permission schemes we've heard of. The assumption was the authorization mechanism would be some form of Attribute Based Access Control, although the use of ABAC is not a requirement. The terms "Resource Attributes" and "Action Attributes" is derived from the XACML spec, which notes that "Information security policies operate upon attributes of subjects, the resource, the action and the environment in order to arrive at an authorization decision." This section is concerned with identifying relevant attributes of the management resources toward which an operations is targetted, as well as the relevant attributes of the operation itself.
DMR API and Wireformat
+ separate static security meta data from dynamic runtime headers?
++ static: part of "read-resource-access"
++ dynamic: indication of enforced constraints as part of a DMR response (i.e suppressed elements)
h3. Scheme 1:
Monitor:
-- read-only flag on the operation
Configurator:
-- Storage flag on attribute
-- flag on operation to indicate runtime-only
-- "security privileged" flag attribute
-- "security privileged" flag on resource
-- attribute value is a vault expression?
Operator:
-- Storage flag on attribute
-- flag on operation to indicate runtime-only
-- "security privileged" flag attribute
-- "security privileged" flag on resource
-- attribute value is a vault expression?
Administrator
-- resource address
Deployer
-- resource address
Admin Security Manager
-- I would consider the equivalent for us to be the ability to configure the access control policies
-- resource address
Auditor
-- resource address
h3. Scheme 2:
Anonymous
-- N/A
Admin
-- none; user is root
Deployer
seems equivalent to Scheme 3's read-write
-- "security privileged" flag attribute
-- "security privileged" flag on resource
-- attribute value is a vault expression?
Operator
-- read-only flag on the operation
-- resource-address
-- operation name
-- "security privileged" flag attribute
-- "security privileged" flag on resource
-- attribute value is a vault expression?
Monitor
-- read-only flag on the operation
-- "security privileged" flag attribute
-- "security privileged" flag on resource
-- attribute value is a vault expression?
h3. Scheme 3:
Read-only
-- read-only flag on the operation
-- "security privileged" flag attribute
-- "security privileged" flag on resource
-- attribute value is a vault expression?
Read-write
-- "security privileged" flag attribute
-- "security privileged" flag on resource
-- attribute value is a vault expression?
Privileged
-- none; user is root
This is basically equivalent to Scheme 2, without Scheme 2's "Operator".
h3. Scheme 4:
Administrator
view or modify anything; deploy apps, perform lifecycle functions
-- none; user is root
Deployer
view anything, deploy apps, perform lifecycle functions
-- read-only flag on the operation
-- resource-address
-- operation name
Operator
view anything, perform lifecycle
-- read-only flag on the operation
-- resource-address
-- operation name
Monitor
view anything
-- read-only flag on the operation
h2. Gloassary of terms
|| *Term* || *Description* ||
| Security Policy | A security policy is an association between a resource and one or more users, groups, or security roles. |
|
|
|
|
|
|
|
|
|
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-48596]
Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]
11 years
Re: [jboss-dev-forums] [JBoss AS 7 Development] - Access control notes
by Darran Lofthouse
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] commented on the document
"Access control notes"
To view all comments on this document, visit: https://community.jboss.org/docs/DOC-48596#comment-11935
--------------------------------------------------
Two more thoughts to add: -
1 - Operations that go on to other things i.e. if an operation updates other attributes or calls other operations does it automatically have access or still perform access control check as the user?
i.e. May want to stop a user from modifying indivudal attributes but let them call an operation that updates multiple at once.
2 - Pre-flight checks will be good but still need to consider the request may still fail authorization.
A users group membership may not be static.
Permissions on the server could be updated.
--------------------------------------------------
11 years