<< Go Back to PicketBox Overview
PicketBox (Formerly JBoss Security) has support for authorization or access control
Types of Authorization
- Coarse Grained
- Fine Grained including Instance Based Authorization
Coarse Grained Authorization
You can use the PicketBoxAuthorizationModule to provide access control to your java application. Please see the example below.
Fine Grained Authorization
- Standards based Oasis XACML v2 Authorization using JBossXACML
- Access Control Lists (ACLs) using PicketBox ACL
Sample Code for Coarse Grained Authorization
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceType;
import org.picketbox.config.PicketBoxConfiguration;
import org.picketbox.factories.SecurityFactory;
//Variables
private final String securityDomainName = "test";
private final String configFile = "config/authorization.conf";
public void testValidAuthorization() throws Exception
{
SecurityFactory.prepare();
try
{
PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
idtrustConfig.load(configFile);
AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
assertNotNull(am);
Subject subject = new Subject();
Principal principal = getPrincipal("anil");
Object credential = new String("pass");
boolean result = am.isValid(principal, credential, subject);
assertTrue("Valid Auth", result);
assertTrue("Subject has principals", subject.getPrincipals().size() > 0);
AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
assertNotNull(authzM);
Resource resource = getResource();
int decision = authzM.authorize(resource, subject);
assertTrue(decision == AuthorizationContext.PERMIT);
}
finally
{
SecurityFactory.release();
}
}
public void testInvalidAuthorization() throws Exception
{
SecurityFactory.prepare();
try
{
PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
idtrustConfig.load(configFile);
AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
assertNotNull(am);
Subject subject = new Subject();
Principal principal = getPrincipal("anil");
Object credential = new String("pass");
boolean result = am.isValid(principal, credential, subject);
assertTrue("Valid Auth", result);
assertTrue("Subject has principals", subject.getPrincipals().size() > 0);
AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
assertNotNull(authzM);
Resource resource = getResource();
int decision = authzM.authorize(resource, subject);
assertTrue(decision == AuthorizationContext.PERMIT);
}
finally
{
SecurityFactory.release();
}
}
private Principal getPrincipal(final String name)
{
return new Principal()
{
public String getName()
{
return name;
}
};
}
private Resource getResource()
{
return new Resource()
{
public ResourceType getLayer()
{
return ResourceType.IDTRUST;
}
public Map<String, Object> getMap()
{
return new HashMap<String,Object>();
}
};
}
As usual we have a SecurityFactory.prepare() and SecurityFactory.release() in a try/finally structure to initialize and release picketbox.
The authorization.conf looks as follows:
<?xml version='1.0'?> <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:jboss:security-config:5.0" xmlns="urn:jboss:security-config:5.0" xmlns:jbxb="urn:jboss:security-config:5.0"> <application-policy name = "test"> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name = "name">1.1</module-option> <module-option name = "succeed">true</module-option> <module-option name = "throwEx">false</module-option> </login-module> </authentication> <authorization> <policy-module code="org.picketbox.plugins.authorization.PicketBoxAuthorizationModule"> <module-option name="roles">validuser</module-option> </policy-module> </authorization> </application-policy> </policy>
In this case, PicketBoxAuthorizationModule is configured with a comma separated list of roles (validuser).
PicketBox Authorization Using Java Annotations
Suppose you do not want to work with xml config files and want to provide the configuration via Java Annotations, then you can use the @Authorization annotation.
A POJO may look:
import org.jboss.security.annotation.Authentication;
import org.jboss.security.annotation.Authorization;
import org.jboss.security.annotation.Module;
import org.jboss.security.annotation.ModuleOption;
import org.jboss.security.auth.spi.UsersRolesLoginModule;
import org.picketbox.plugins.authorization.PicketBoxAuthorizationModule;
/**
* POJO with both Authentication and Authorization annotations
*/
@Authentication(modules={@Module(code = UsersRolesLoginModule.class, options =
{@ModuleOption})})
@Authorization(modules ={@Module(code = PicketBoxAuthorizationModule.class, options =
{@ModuleOption(key="roles",value="validuser")})})
public class AuthAuthorizationAnnotatedPOJO
{
}
Now the test code will be:
@Test
public void testAuthenticationAndAuthorization() throws Exception
{
AuthAuthorizationAnnotatedPOJO pojo = new AuthAuthorizationAnnotatedPOJO();
PicketBoxProcessor processor = new PicketBoxProcessor();
processor.setSecurityInfo("anil", "pass");
processor.process(pojo);
Principal anil = new SimplePrincipal("anil");
assertEquals("Principal == anil", anil, processor.getCallerPrincipal());
Subject callerSubject = processor.getCallerSubject();
assertNotNull("Subject is not null", callerSubject);
assertTrue("Subject contains principal anil", callerSubject.getPrincipals().contains(anil));
RoleGroup callerRoles = processor.getCallerRoles();
}
Because of the @Authorization annotation, the PicketBoxProcessor process method will do the authorization.
@Authorization Annotation
Details are provided at PicketBoxSecurityAnnotations
Comments