[jboss-user] [Security & JAAS/JBoss] - JBoss 4.2.3: non-compliant behavior of JACC implementation?

kcg do-not-reply at jboss.com
Tue Feb 3 15:28:15 EST 2009

I'm porting our custom JACC provider to JBoss. For access control I've found that JBoss is using not recommended practice of calling `getPermission' on policy provider. JACC 1.0 final release specification claims that after this call container must call `implies' method on the returned PermissionCollection object. My debug messages proof that this is not the case with JBoss 4.2.3GA. For your reference, this is ``4.8 Checking the Caller for a Permission'' specification paragraph, where someone might read: anonymous wrote : The J2EE 1.4 container calls
  | java.security.Policy.getPermissions with an argument
  | ProtectionDomain that was constructed with the principals of the caller. The
  | container must call the implies method on the returned
  | PermissionCollection using the permission being checked as argument. If the
  | PermissionCollection implies the permission being tested, the permission has
  | been granted to the caller. Otherwise it has not. This technique is supported but
  | not recommended.

Am I doing anything wrong or is it really a non-compliant bit of JBoss JACC implementation?
Our JACC provider is written in a way that it requires to have `implies' called on the policy provider. So I written simple facade PermissionCollection which behave like normal permission collection, but delegates it's implies to the policy provider. The problem is, its `implies' is not called. Do you have any idea how to convience JBoss to call either implies on the returned value from getPermission or implies directly on the policy provider?
Karelanonymous wrote : 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4206710#4206710

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4206710

More information about the jboss-user mailing list