[jboss-dev-forums] [Security Development] Document updated/added: "PicketBox Authorization"
ANIL SALDHANA
do-not-reply at jboss.com
Thu Feb 4 21:28:02 EST 2010
JBoss development,
The document "PicketBox Authorization", was updated Feb 4, 2010
by ANIL SALDHANA.
To view the document, visit:
http://community.jboss.org/docs/DOC-14747#cf
Document:
--------------------------------------------------------------
*PicketBox* (Formerly JBoss Security) has support for authorization or access control
*Types of Authorization*
1. Coarse Grained
2. Fine Grained including Instance Based Authorization
*Coarse Grained Authorization*
You can use the PicketBoxAuthorizationModule to provide access control to your java application. Please see the example below.
*Fine Grained Authorization*
1. http://community.jboss.org/docs/DOC-10840
2. http://server.dzone.com/articles/security-features-jboss-510-3
Sample Code for Coarse Grained Authorization
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceType;
import org.picketbox.config.PicketBoxConfiguration;
import org.picketbox.factories.SecurityFactory;
//Variables
private final String securityDomainName = "test";
private final String configFile = "config/authorization.conf";
public void testValidAuthorization() throws Exception
{
SecurityFactory.prepare();
try
{
PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
idtrustConfig.load(configFile);
AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
assertNotNull(am);
Subject subject = new Subject();
Principal principal = getPrincipal("anil");
Object credential = new String("pass");
boolean result = am.isValid(principal, credential, subject);
assertTrue("Valid Auth", result);
assertTrue("Subject has principals", subject.getPrincipals().size() > 0);
AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
assertNotNull(authzM);
Resource resource = getResource();
int decision = authzM.authorize(resource, subject);
assertTrue(decision == AuthorizationContext.PERMIT);
}
finally
{
SecurityFactory.release();
}
}
public void testInvalidAuthorization() throws Exception
{
SecurityFactory.prepare();
try
{
PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
idtrustConfig.load(configFile);
AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
assertNotNull(am);
Subject subject = new Subject();
Principal principal = getPrincipal("anil");
Object credential = new String("pass");
boolean result = am.isValid(principal, credential, subject);
assertTrue("Valid Auth", result);
assertTrue("Subject has principals", subject.getPrincipals().size() > 0);
AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
assertNotNull(authzM);
Resource resource = getResource();
int decision = authzM.authorize(resource, subject);
assertTrue(decision == AuthorizationContext.PERMIT);
}
finally
{
SecurityFactory.release();
}
}
private Principal getPrincipal(final String name)
{
return new Principal()
{
public String getName()
{
return name;
}
};
}
private Resource getResource()
{
return new Resource()
{
public ResourceType getLayer()
{
return ResourceType.IDTRUST;
}
public Map<String, Object> getMap()
{
return new HashMap<String,Object>();
}
};
}
As usual we have a SecurityFactory.prepare() and SecurityFactory.release() in a try/finally structure to initialize and release picketbox.
The authorization.conf looks as follows:
<?xml version='1.0'?>
<policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:jboss:security-config:5.0"
xmlns="urn:jboss:security-config:5.0"
xmlns:jbxb="urn:jboss:security-config:5.0">
<application-policy name = "test">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name = "name">1.1</module-option>
<module-option name = "succeed">true</module-option>
<module-option name = "throwEx">false</module-option>
</login-module>
</authentication>
<authorization>
<policy-module
code="org.picketbox.plugins.authorization.PicketBoxAuthorizationModule">
<module-option name="roles">validuser</module-option>
</policy-module>
</authorization>
</application-policy>
</policy>
In this case, PicketBoxAuthorizationModule is configured with a comma separated list of roles (validuser).
--------------------------------------------------------------
More information about the jboss-dev-forums
mailing list