Security scopes

Last modified by RaffaelloPelagalli on 2007/01/17 13:38

Security scopes

since release 1.0.0 , jGuard provides two Security scopes, on authentication and authorization. these scopes affect jGuard javax.security.auth.login.Configuration and java.security.policy implementations.

what is the relation between scopes and java.security.policy?

in java, policy is set globally for the jvm usually. in a jee application server, multiple applications are hosted on it, in the same jvm (we don't talk about app server clustering).

so, like policy is very important in the java architecture, some bad interactions can occurs between multiple web applications.

if you set the securityManager and prevent some webapps with related permissions to not override the jguard policy set, all is fine. but frequently, security manager is not set, and multiple applications need to be securized through jaas . so, since a long time,jguard ships a MultipleAppPolicy, which can handle multiple applications(each webapp, has got an isolated part of the policy ).

each webapp set this MultipleAppPolicy if not present as the jvm policy, and register the webapp to have an isolated part of it. This can be set at runtime. another 'classic' way is to define the policy as a java parameter when you launch your app server, but it is tedious if you don't have a very high security requirement.

but sometimes, some other products relies on different policy implementations and need to replace jguard policy; also, one requirement to share the policy between multiple webapp (with MultipleAppPolicy), is to put some jars in the 'shared libraries directory' of your application server: some developers can think it is either tedious, or not feasible in their IT environment.

so, jGuard since 1.0.0 release, provide a policy (with the 'local' scope), specific for each webapp, which does not interact with a global policy set on the jvm; other webapps, can use their own policy(in their local mode),or use the 'jvm' scope, and cannot reach this policy: this policy is 'local' to the webapp which has set it. this local mode also , does not require any 'shared library directory' mechanism.

local scope

that's the default scope when no one is set.

it permits to define authentication settings and authorization settings locally to the webapp. so, the Configuration only contains settings about the related webapp. in the same way, authorization/policy are specific to each webapps.

with this scope, if multiple webapps are secured by jGuard, authentication and authorization settings are completely independant between webapps without no bounds.

this scope is the easiest way to use jGuard, but uses the same java security classes than the jvm scope.

jvm scope

this scope stands on the java security architecture. it is the more secure way, but is less easier.

Tags:
Created by diabolo512 on 2006/12/16 01:47

jGuard team copyright 2004-2009
3.1.1