[jboss-jira] [JBoss JIRA] Resolved: (JBAS-6660) Granting Java2 Security permissions in a policy file only to certain components of an ear file

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Mon Oct 26 14:35:05 EDT 2009 

     [ https://jira.jboss.org/jira/browse/JBAS-6660?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anil Saldhana resolved JBAS-6660.
---------------------------------

    Resolution: Done


Robert has checked in the patch at:  http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas?view=revision&revision=95569

Anyone interested in this patch, should build an AS distribution from:
http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/

> Granting Java2 Security permissions in a policy file only to certain components of an ear file
> ----------------------------------------------------------------------------------------------
>
>                 Key: JBAS-6660
>                 URL: https://jira.jboss.org/jira/browse/JBAS-6660
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.0.5.GA
>         Environment: Win XP, Sun JDK 1.5.0_13, JBoss 4.0.5GA
>            Reporter: Robert Panzer
>            Assignee: Anil Saldhana
>             Fix For: JBossAS-Branch_4_2
>
>
> In our application it is necessary to grant permissions as defined by Java2 Security only to certain jars inside the ear and not the
> whole application.
> Our application runs on JBoss 4.0.5GA so all descriptions refer to this version.
> Support was already added to the MainDeployer and UnifiedClassLoader to remember the original URL aka origUrl so that 
> the UnifiedClassLoader retrieves the permissions from the policy file using the origURL as codeSource.
> The "real" codeBase might point to a temporary jar in the tmp/ directory, so this is already a enhancement.
> Unfortunately the origURL always references the top most component of a DeploymentInfo hierarchy.
> To clarify this let me give the following example of an ear file:
> jboss
>   +-- server
>          +-- deploy
>               +-- MyApp.ear
>                      +-- MyEJB.jar
> When checking a permission in MyEJB.jar the origURL always points to file:/.../server/deploy/MyApp.ear.
> But I'd prefer to let it point to file:/xxx/jboss/server/deploy/MyApp.ear/MyEJB.jar so that I'm able to grant permissions
> only to the MyEJB.jar using an entry in the policy file like:
> grant codeBase "${jboss.server.home.url}deploy/MyApp.ear/MyEJB.jar" {
> 	permission com.foo.MyPermission "A";
> 	permission com.foo.MyPermission "B";
> };
> I have already prepared a patch that works for me:
> Added in the class org.jboss.deployment.DeploymentInfo in jboss-system.jar:
>  
> > 294
>     URL policyCodeSourceUrl = getPolicyCodeSourceUrl();
>     log.info("Map Policy CodeSource for "+localUrl+" to "+policyCodeSourceUrl);
>     ucl.setPolicyCodeSourceUrl(localUrl, policyCodeSourceUrl); 
>  
> > 310
> private URL getPolicyCodeSourceUrl() throws Exception {
>     DeploymentInfo current = this;
>     StringBuffer sOrigURL = new StringBuffer();
>     while (current.parent != null)
>     {
>         sOrigURL.insert(0, "/"+current.shortName);
>         current = current.parent;
>     } 
>     String currentUrl = current.url.toExternalForm();
>     if (currentUrl.endsWith("/"))
>         sOrigURL.insert(0, currentUrl.substring(0, currentUrl.length()-1));
>     else
>         sOrigURL.insert(0, currentUrl);
>     
>     URL policyCodeSourceUrl = new URL(sOrigURL.toString());
>     return policyCodeSourceUrl;
> }
>  
>  
> Added in the class org.jboss.mx.loading.RepositoryClassLoader in jboss-jmx.jar:
>  
> > 95
> /** Maps the local URLs from the repository to URLs pointing to the jar file in the deploy dir,
> * even into an ear file.
> */
> Map localUrl2PolicyCodeSourceUrlMap = new HashMap();
>  
> > 761
> public void setPolicyCodeSourceUrl(URL localUrl, URL policyCodeSourceUrl) {
>     localUrl2PolicyCodeSourceUrlMap.put(localUrl, policyCodeSourceUrl);
> }
>  
> public URL getPolicyCodeSourceUrl( URL localUrl ) {
>     return (URL)localUrl2PolicyCodeSourceUrlMap.get(localUrl);
> }
>  
> Added in class org.jboss.mx.loading.UnifiedClassLoader in jboss-jmx.jar :
>  
> > 238:
> URL policyCodeSourceUrl = getPolicyCodeSourceUrl(cs.getLocation());
> if (policyCodeSourceUrl!=null) {
>     permCS = new CodeSource(policyCodeSourceUrl, cs.getCertificates());
> }
> Basically, at deployment time a URL is composed of the complete origUrl of the topmost component and the short names
> of all sub deployments. Then a mapping from the localURL, that is the codeSource when checking the permission, to the composed Url is stored 
> in the RepositoryClassLoader. When the UnifiedClassLoader.getPermissions(CodeSource cs) is called for a local URL the permissions for the composed 
> CodeBase are returned.
> This already works in our environment. Do you think that this requirement and the approach to solve our problem is ok?

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list