Tuesday, November 20, 2007

Getting this out before the new year rolls in

Better late than never. I presented a BOF at JavaOne 07 with Jeff Trent. We talked about JavaSE, JavaEE & JACC security. We focussed on Authorization aspects of the security. The idea was to give folks 101 on JavaSE & JavaEE(my fingers want to type J2ee so bad) security and how JACC bridges the gap in the two world. Yup, before JACC the authorization model in JavaSE & JavaEE were so different.
Another pre JACC problem is that in JavaEE world there was no standard way to plug in third party Authorization providers. Each app server supported a different mix(if any). Assuming your app server vendor supports third party Authorization Provider plug in, the moment you switch you app server, that integration went kaput.
JACC solves this problem cleanly and in a portable fashion.

JavaSE, deals with Permission, Protection domain, SM & Access Controller. The JavaEE model dealt with security constraints & method permission elements. Every App server dealt with these in their own way. The JACC spec unified these two. The spec is basically divided in three parts. Provider Configuration, Pollicy Configuration and Policy Decision & Enforcement Contracts. Now I would have named these contracts a little different. e.g App Server, Deployment Tool & Runtime contracts. Or something along the lines. You get the drift?

Read on for the lowdown on the three contracts.

The first contract deals with how and app server will install a jacc provider, what a compliant provider should do etc. (See jsr 115 for normative text)
The second contract introduces new permission objects and sets rules on translating security contraints and method permissions into these new permission objects. The objects are then stored in the jacc provider.
The third contract lays the responsibility for PEP(policy enforcement point). It talks different ways for enforcing authorization.

Now what I haven't seen much of if the use of this feature to integrate with Third Party AuthZ providers. I am hoping a reader could point any such integration. Please feel free to add your comments.

No comments: