8.2 Permission-Based Security Fundamentals
Before we launch into a detailed discussion of the MX4J security design, we'll quickly review the fundamental concepts behind Java's permission-based access control mechanism.
8.2.1 Permissions
In the Java 2 security model a permission is the authority to access a particular resource or to perform a particular operation. The class java.security.Permission and its subclasses represent permissions at runtime. For example, in the statement
FilePermission fp = new FilePermission("/etc/passwd",
"read, write");
fp represents permission to read and write the /etc/passwd file. In the statement
RuntimePermission rp = new RuntimePermission("exitVM");
rp represents permission to shut down the JVM.
FilePermission and RuntimePermission are part of the standard set of J2SE permissions. MX4J defines its own permissions to control access to JMX-based resources and operations.
8.2.2 SecurityManager
The Java SecurityManager class is responsible for enforcing security policy. It does so by determining whether or not the class making a given request has the necessary permission. In code these checks generally take the following form:
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new <RequiredPermission>(target, action));
}
If the call to checkPermission() succeeds, execution continues normally; otherwise a SecurityException is thrown. The checkPermission() method succeeds if the permissions associated with the class calling it either contain or imply the permission that is passed to it as a parameter; that is, in the preceding example, checkPermission() succeeds if the class calling it has been granted RequiredPermission(target, action).
8.2.3 Policy
Permissions are granted to classes via Java's policy mechanism. By default, policy is specified by statements in a simple policy language. For example, the policy "any class signed by Root may read and write /etc/passwd" is specified by the following statement:
grant signedBy Root {
java.io.FilePermission "/etc/passwd", "read,write";
};
Permissions may be granted to code signed by a specific signer as just illustrated, or to code loaded from a specific URL, as here:
grant codeSource file:/opt/java/mx4j.jar {
java.util.PropertyPermission "java.home", "read";
};
This statement allows code loaded from /opt/java/mx4j.jar to read the java.home system property.
A concrete extension of the abstract class java.security.Policy is responsible for reading policy statements and mapping from a class's code source and signer attributes to the corresponding permissions at runtime.
In this section we have identified only the principal aspects of the Java 2 security architecture. For a detailed treatment of the topic, see Li Gong's book Inside Java 2 Platform Security: Architecture, API Design, and Implementation (Addison-Wesley, 1999).
|
