Negative Permissions

Last modified by RaffaelloPelagalli on 2006/12/16 01:40

Negative Permissions

positive permissions mechanism

by default, jGuard use positive permissions .

When a user or a library tries to access to a resource, java enforces __ a check against a permission specified by the resource__ : the resource calls the checkPermission method of the AccessController class with the chosen permission.

Permission myPermission = new MyPermission(permissionName,permissionActions);
AccessController.checkPermission(myPermission);

Note that the resource can call the checkPermission method of the SecurityManager , which will delegate check to AccessController if it is set. so, the only difference is that AccessController.checkPermission will always do the check, although if the SecurityManager flag is not set. The SecurityManager will do the check only if it is set, and will delegate it to AccessController.

Permission myPermission = new MyPermission(permissionName,permissionActions);
SecurityManager securityManager = System.getSecurityManager();
     if (securityManager != null) {
         securityManager.checkPermission(myPermission);
     }

this call verifies that the user / library contains one or more permissions implied by this permission. if that's true, access is granted.

one permission is necessary to grant access, although if all others are not implied by the permission which guard the resource.

negative permissions mechanism

negative permissions is set in the webapp, by including in you web.xml file this parameter:

<context-param>
	<param-name>negativePermissions</param-name>
	<param-value>true</param-value>
</context-param>

this mechanism grant access if no permisison implies the checked permission .

if one or more permission imply the requested permission, access will NOT be granted. access will be blocked.

so, if one permission(or more) of the user (or library) implies the checked permission, it acts as a veto.

mixing positive and negative permissions

this mechanism is not yet available. this mechanism can be useful in some cases, but maybe implies a bigger complexity in managing your application.

this mechanism will be added if some users ask it.

Tags:
Created by diabolo512 on 2006/12/16 01:39

jGuard team copyright 2004-2009
3.1.1