[jboss-jira] [JBoss JIRA] Created: (JBAS-6660) Granting Java2 Security permissions in a policy file only to certain components of an ear file

Robert Panzer (JIRA) jira-events at lists.jboss.org
Tue Mar 24 06:23:22 EDT 2009 

Granting Java2 Security permissions in a policy file only to certain components of an ear file
----------------------------------------------------------------------------------------------

                 Key: JBAS-6660
                 URL: https://jira.jboss.org/jira/browse/JBAS-6660
             Project: JBoss Application Server
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-4.0.5.GA
         Environment: Win XP, Sun JDK 1.5.0_13, JBoss 4.0.5GA
            Reporter: Robert Panzer
            Assignee: Anil Saldhana
             Fix For: JBossAS-4.0.5.GA


In our application it is necessary to grant permissions as defined by Java2 Security only to certain jars inside the ear and not the
whole application.

Our application runs on JBoss 4.0.5GA so all descriptions refer to this version.

Support was already added to the MainDeployer and UnifiedClassLoader to remember the original URL aka origUrl so that 
the UnifiedClassLoader retrieves the permissions from the policy file using the origURL as codeSource.
The "real" codeBase might point to a temporary jar in the tmp/ directory, so this is already a enhancement.

Unfortunately the origURL always references the top most component of a DeploymentInfo hierarchy.

To clarify this let me give the following example of an ear file:
jboss
  +-- server
         +-- deploy
              +-- MyApp.ear
                     +-- MyEJB.jar

When checking a permission in MyEJB.jar the origURL always points to file:/.../server/deploy/MyApp.ear.
But I'd prefer to let it point to file:/xxx/jboss/server/deploy/MyApp.ear/MyEJB.jar so that I'm able to grant permissions
only to the MyEJB.jar using an entry in the policy file like:
grant codeBase "${jboss.server.home.url}deploy/MyApp.ear/MyEJB.jar" {
	permission com.foo.MyPermission "A";
	permission com.foo.MyPermission "B";
};

I have already prepared a patch that works for me:
Added in the class org.jboss.deployment.DeploymentInfo in jboss-system.jar:
 
> 294
    URL policyCodeSourceUrl = getPolicyCodeSourceUrl();
    log.info("Map Policy CodeSource for "+localUrl+" to "+policyCodeSourceUrl);
    ucl.setPolicyCodeSourceUrl(localUrl, policyCodeSourceUrl); 
 
> 310
private URL getPolicyCodeSourceUrl() throws Exception {
    DeploymentInfo current = this;
    StringBuffer sOrigURL = new StringBuffer();
    while (current.parent != null)
    {
        sOrigURL.insert(0, "/"+current.shortName);
        current = current.parent;
    } 
    String currentUrl = current.url.toExternalForm();
    if (currentUrl.endsWith("/"))
        sOrigURL.insert(0, currentUrl.substring(0, currentUrl.length()-1));
    else
        sOrigURL.insert(0, currentUrl);
    
    URL policyCodeSourceUrl = new URL(sOrigURL.toString());
    return policyCodeSourceUrl;
}
 
 
Added in the class org.jboss.mx.loading.RepositoryClassLoader in jboss-jmx.jar:
 
> 95
/** Maps the local URLs from the repository to URLs pointing to the jar file in the deploy dir,
* even into an ear file.
*/
Map localUrl2PolicyCodeSourceUrlMap = new HashMap();
 
> 761
public void setPolicyCodeSourceUrl(URL localUrl, URL policyCodeSourceUrl) {
    localUrl2PolicyCodeSourceUrlMap.put(localUrl, policyCodeSourceUrl);
}
 
public URL getPolicyCodeSourceUrl( URL localUrl ) {
    return (URL)localUrl2PolicyCodeSourceUrlMap.get(localUrl);
}
 
Added in class org.jboss.mx.loading.UnifiedClassLoader in jboss-jmx.jar :
 
> 238:
URL policyCodeSourceUrl = getPolicyCodeSourceUrl(cs.getLocation());
if (policyCodeSourceUrl!=null) {
    permCS = new CodeSource(policyCodeSourceUrl, cs.getCertificates());
}


Basically, at deployment time a URL is composed of the complete origUrl of the topmost component and the short names
of all sub deployments. Then a mapping from the localURL, that is the codeSource when checking the permission, to the composed Url is stored 
in the RepositoryClassLoader. When the UnifiedClassLoader.getPermissions(CodeSource cs) is called for a local URL the permissions for the composed 
CodeBase are returned.

This already works in our environment. Do you think that this requirement and the approach to solve our problem is ok?



-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list