Permission-Based Security Fundamentals

Permission-Based Security Fundamentals

Before we launch into a detailed discussion of the MX4J security design, we'll quickly review the fundamental concepts behind Java's permission-based access control mechanism.

1 Permissions

In the Java 2 security model a permission is the authority to access a particular resource or to perform a particular operation. The class and its subclasses represent permissions at runtime. For example, in the statement

FilePermission fp = new FilePermission("/etc/passwd", 
    "read, write");

fp represents permission to read and write the /etc/passwd file. In the statement

RuntimePermission rp = new RuntimePermission("exitVM"); 

rp represents permission to shut down the JVM.

FilePermission and RuntimePermission are part of the standard set of J2SE permissions. MX4J defines its own permissions to control access to JMX-based resources and operations.

2 SecurityManager

The Java SecurityManager class is responsible for enforcing security policy. It does so by determining whether or not the class making a given request has the necessary permission. In code these checks generally take the following form:

SecurityManager sm = System.getSecurityManager(); 
if (sm != null) {
  sm.checkPermission(new <RequiredPermission>(target, action));

If the call to checkPermission() succeeds, execution continues normally; otherwise a SecurityException is thrown. The checkPermission() method succeeds if the permissions associated with the class calling it either contain or imply the permission that is passed to it as a parameter; that is, in the preceding example, checkPermission() succeeds if the class calling it has been granted RequiredPermission(target, action).

3 Policy

Permissions are granted to classes via Java's policy mechanism. By default, policy is specified by statements in a simple policy language. For example, the policy "any class signed by Root may read and write /etc/passwd" is specified by the following statement:

grant signedBy Root { "/etc/passwd", "read,write";

Permissions may be granted to code signed by a specific signer as just illustrated, or to code loaded from a specific URL, as here:

grant codeSource file:/opt/java/mx4j.jar { 
  java.util.PropertyPermission "java.home", "read";

This statement allows code loaded from /opt/java/mx4j.jar to read the java.home system property.

A concrete extension of the abstract class is responsible for reading policy statements and mapping from a class's code source and signer attributes to the corresponding permissions at runtime.

In this section we have identified only the principal aspects of the Java 2 security architecture. For a detailed treatment of the topic, see Li Gong's book Inside Java 2 Platform Security: Architecture, API Design, and Implementation (Addison-Wesley, 1999).

     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows