|
| Re: [equinox security] JAAS: Principal based authorization [message #116685 is a reply to message #116681] |
Fri, 29 August 2008 15:05   |
 Oleg Besedin
Messages: 41
Registered: July 2009 |
Member |
|
|
Hi Mark,
I don't have a ready answer. It should work, but I haven't tried to do it
myself. Couple points that could be of interest:
- do you specify security manager when running Eclipse? Also see the
"eclipse.security" runtime option (might put a breakpoint in the
org.eclipse.osgi.framework.internal.core.Framework#installSe curityManager()
for debugging)
- location of the policy file - is it a URL that can be resolved in an OSGi
bundle
It would be nice to have a working example for this use case. If you are
interested in doing it, feel free to open a bug on Equinox/ Security and put
code there. If I can get some time, I'll try to work on it too. We could add
this into the org.eclipse.equinox.security.sample bundle.
It would be even more interesting to explore this direction in general and
see how it fits with OSGi permissions (PermissionAdmin,
ConditionalPermissionAdmin).
Sincerely,
Oleg Besedin
"Mark Hoffmann" <mark.hoffmann@web.de> wrote in message
news:g98tte$f3o$1@build.eclipse.org...
> Hi,
> at first thank you for the JAAS Authentication in 3.4. I introduced it
> into my application. It's really easy to implement.
> Now I try to run my app with SecurityManager and a policy file.
>
> But statements in my policy file like this:
>
> grant Principal jaas.SamplePrincipal "testUser" {
> permission jaas.TestPermission "*", "test";
> };
>
> with
>
> Subject.doAsPrivileged
>
> in my code work fine in a java app, but not in equinox/eclipse rcp. Is
> that because of the OSGI compatibility to java below 1.4? I think the
> principal based policy file was introduced in 1.4. Is it possible to use
> this principal based authorization in equinox?
>
> Mark
|
|
|
| Re: [equinox security] JAAS: Principal based authorization [message #116707 is a reply to message #116685] |
Fri, 29 August 2008 15:35 |
Mark Hoffmann
Messages: 113
Registered: July 2009
Location: Jena |
Senior Member |
|
|
Hi Oleg,
I run my RCP with the folowing VM args:
-Djava.security.manager
-Djava.security.policy=${workspace_loc}/TestSecureRCP/config /sample.policy
This works because if I change some of the FilePermissions I get the
corresponding SecurityExceptions
I will raise a bug. I have a plain java application example and an not
working RCP example, based on the Mail Template :-). I will attach the
code to the bug. In general my own permissions work but not with the
JAAS principals. There is also a permissions.perm file in the OSGI-INF
folder. Which role does it play?
I played around with UserAdmin service. Obviously you can do some
authorization with it.
My general intension is to create a client-server based multi-user
environment (I already did it, with a JEE5 server and RCP client).
So I need authorization on the client to hide UI elements, suppress
extension points. So best way would be to prevent the loading of bundles
that are not allowed for the authenticated subject.
Imagine a CRM client (RCP client) with two modules(features): contacts
and calendar.
The user "A" authenticates with the server using JAAS. Now he get a
calendar principal. A can work with his calendar. In spite of the
installed contacts feature, the contacts bundles a should not be
available for A, neither code nor extension points.
The admin now assigns A the right to use contacts.
Now if A logs in again both features should be available for him,
without downloading this feature.
Such things in an example would be really great.
I help you if you want, but I'm new with OSGi.
Mark
Oleg Besedin schrieb:
> Hi Mark,
> I don't have a ready answer. It should work, but I haven't tried to do it
> myself. Couple points that could be of interest:
> - do you specify security manager when running Eclipse? Also see the
> "eclipse.security" runtime option (might put a breakpoint in the
> org.eclipse.osgi.framework.internal.core.Framework#installSe curityManager()
> for debugging)
> - location of the policy file - is it a URL that can be resolved in an OSGi
> bundle
>
> It would be nice to have a working example for this use case. If you are
> interested in doing it, feel free to open a bug on Equinox/ Security and put
> code there. If I can get some time, I'll try to work on it too. We could add
> this into the org.eclipse.equinox.security.sample bundle.
>
> It would be even more interesting to explore this direction in general and
> see how it fits with OSGi permissions (PermissionAdmin,
> ConditionalPermissionAdmin).
>
> Sincerely,
> Oleg Besedin
>
> "Mark Hoffmann" <mark.hoffmann@web.de> wrote in message
> news:g98tte$f3o$1@build.eclipse.org...
>> Hi,
>> at first thank you for the JAAS Authentication in 3.4. I introduced it
>> into my application. It's really easy to implement.
>> Now I try to run my app with SecurityManager and a policy file.
>>
>> But statements in my policy file like this:
>>
>> grant Principal jaas.SamplePrincipal "testUser" {
>> permission jaas.TestPermission "*", "test";
>> };
>>
>> with
>>
>> Subject.doAsPrivileged
>>
>> in my code work fine in a java app, but not in equinox/eclipse rcp. Is
>> that because of the OSGI compatibility to java below 1.4? I think the
>> principal based policy file was introduced in 1.4. Is it possible to use
>> this principal based authorization in equinox?
>>
>> Mark
>
>
|
|
|
Powered by
FUDForum. Page generated in 0.02540 seconds
] 
Search
Help
Register
Login
Home
