JAZN, programmatic permission checks without SecurityManager

Giganews Newsgroups
Subject: JAZN, programmatic permission checks without SecurityManager
Posted by:  AndyMalakov (andy.malak…@gmail.com)
Date: 30 Aug 2006

Hello All,

Questions to people who are familiar with OC4J security configuration
(specifically XML-based JAZN Security Provider).

I want to use java.security.AccessController.checkPermission() without
SecurityManager in OC4J.

Imagine we have a method Library.deleteUserAccount() that requires any
caller to have LibraryAdministratorRole. So we put simple check inside
this method:

void deleteUserAccount() {
  AccessController.checkPermission (new LibraryAdminPermission());
  .. code to delete account ...
}

and use OC4J's admintool define a policy that grants
LibraryAdminPermission to LibraryAdministratorRole
(system-jazn-data.xml).

Here is the problem: At runtime I know that caller's context has
LibraryAdministratorRole principal (oracle.security logger), yet
LibraryAdminPermission is denied.

I can see that Policy.getPolicy() in the same context returns Java's
default policy provider, even if I specify
oracle.security.jazn.spi.PolicyProvider in
JRE/lib/security/java.security file.

For certain reasons, I can't use declarative security provided by EJB
descriptors or run server with security manager installed. This
scenario works under Orion and Tomcat.

Any ideas, please?

Best Regards,
Andy

Replies