RCP App and role based, dynamic policy [message #48546] |
Fri, 03 June 2005 08:54 |
Eclipse User |
|
|
|
Originally posted by: NoStier.Spam.rs-system.de
Hi there!
I'm new to the equinox thing and I hope it's the right place for this
discussion...
I'm about to implement an RCP application which has to be secured in
several ways. I've worked on a solution for several days and would like
to discuss it, to see if I'm missing something.
Requirements
1. Application and Resources
- modifications on the codesource and resources (our plugins and
platform) must be detected and in case of modification execution prevented.
- additional plugins are not allowed.
2. Application Data
- application data is stored within an RDBMS.
- access to application data is governed by an application policy which
is stored within the RDBMS too.
- policy is pricipal/role based
Desgin
I've decided to implement security based on JAAS (JDK 5.0).
The system policy must be protected against modifications. Suns
PolicyFile policy (java.policy) therfore is not suitable for desktop
applications.
I've decided to implement an own policy class based on
java.security.Policy: MyPolicy. It grants AllPermission to the whole
platform codesource. Since it will be a "closed" RCP application, this
will be sufficient.
I will sign any application jar to prevent modifications within the
platform.
To enable MyPolicy from the start it must be defined in java.security as
"policy.provider=MyPolicy". This makes it necessary to add MyPolicy to
the bootclasspath.
Application data is governed by a policy which is stored within an RDBS
thus not available at initialization of MyPolicy. I've added two methods
to MyPolicy: addPolicyProvider(IPolicyProvider) and
removePolicyProvider(IPolicyProvider) which allow to add or remove
dynamically a set of grant entries like the ones in java.policy.
If a user authenticates to an application RDBMS, the policy of this
RDBMS will be added to MyPolicy.
If he logs out, it will be removed accordingly.
The policy within the RDBMS is protected by encryption.
Any comments?
Is there anything in equinox/OSGi which achieves the same functionality
with standardized means?
regards
Markus
|
|
|
|
Powered by
FUDForum. Page generated in 0.03045 seconds