[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[equinox-dev] custom OSGI JAAS authorization implementation doesn't work

I have created a beautiful database-driven implementation of jaas based on this book http://www.jaasbook.com/ that includes a custom implementation of:

javax.security.auth.callback.CallbackHandler for input login info
javax.security.auth.login.Configuration for database based loginmodule aggregation
java.security.Policy permissions retrieved from database
java.security.BasicPermission for testing

When i start the program (i'm actually using the http service so i'm setting this up in the HttServlet.init function) i setup the config and policy:
Configuration.setConfiguration(new xConfig());
Policy.setPolicy(new xPolicy());
System.setSecurityManager(new SecurityManager());
and then try to login:
xHandler handler = new xHandler();
LoginContext context = new LoginContext("app", handler);
Everything works to this point, but when i try to do a test check.
Subject subject = context.getSubject();
new PrivilegedAction() {
public Object run() {
// Both tested
// java.security.AccessController.checkPermission(new xPermission("xname", "xaction"));
System.getSecurityManager().checkPermission(new xPermission("xname", "xaction"));
return null;
Nothing happens, the xPermission implementation ALWAYS returns false from the implies() function but the thing never throws the expected SecurityException/AccessControlException. Doing some debug to the process i got to the Policy.implies(domain, permission) function where i call the Policy.getPermissions(domain) to get the permissions collection and the permissions.implies(permission) to do the actual check, the returned permissions collection contains: 1.- The actual permissions granted to the principals belonging to the authenticated user OR AllPermissions IF the domain passed to the getPermissions function doesnt have a Principal (to allow everything that doesnt have to do with my custom checks). But somehow the Policy.implies function is checking twice the SAME permission using two different domains: one is my bundle domain com.mycompany.mybundle and the other is the org.eclipse.osgi bundle. The problem is that somehow the first attempt with my domain (which everytime returns false) doesnt throw de AccessControlException until the second attempt with the osgi domain. The worst thing is that it looks like that the osgi domain attempt is the only one that counts, because if i probe for the osgi domain and return false then the exception is thrown no matter if the last time a true or false were returned. This appears to happens ONLY in the osgi environment because if i test this in a plain java main programm everything works as expected, any clues? Thanks.