9 Replies Latest reply on Apr 12, 2010 3:37 PM by soshah

    Need an authorization framework for Drools

    jervisliu

      Hi, I am working on Drools security. Basically the requirement is an authorization framework that can be used to provide service level and method level security. It needs to support both role-based authorization and rule-based authorization, not sure about ACL at the moment. I'v had a quick look into Authz, but not quite sure if Authz is the one I am looking for.

       

      Some use cases I have in my mind are as below (using Drools with Camel integration):

       

      Service level security:

       

      a camel route without authorization:

       

      <camel:route>
           <camel:from uri="direct:executor" />
           <camel:process ref="batchExecutorProcessor"/>
           <camel:to uri="direct:xstreamTransformerResult" />
      </camel:route>

       

      a camel route with simple role based authorization using property files (like what we do in JBOSS ESB)

       

      <camel:route>
          <camel:from uri="direct:executor" />
          <camel:process ref="batchExecutorProcessor" authorization-module="role-based-using-property-file" rolesAllowed="adminRole, normalUsers"/>
          <camel:to uri="direct:xstreamTransformerResult" />
      </camel:route>

       

      a camel route with rule based authorization using Drools

       

      <camel:route>
           <camel:from uri="direct:executor" />
           <camel:process ref="batchExecutorProcessor" authorization-module="rule-based-using-drools"/>
           <camel:to uri="direct:xstreamTransformerResult" />
      </camel:route>

       

      Method level security:

       

      TBD

       

      What underlying authorization methods to use (let it be the role based authorization using property files, or role based authorization using permissions stored in DB or rule based authorization using Drools), need to be configurable and pluggable. So is Authz the right framework I am looking for?

       

      Thanks,

       

      Jervis Liu

        • 1. Re: Need an authorization framework for Drools
          soshah

          Jervis-

           

          Based on this description, Authz should be a good fit for your authorization needs. Here is why:

           

          * To oversimplify Authz core design principle, it uses a standard rule based (XACML) engine for making security decisions. It does not make any distinction between what "Facts" and "Logic" is used to make this decision. These facts can be arbitrary such as user roles (in case of role based security), machine IP address, time of the day, whatever other domain knowledge that needs to be used to make a security decision.

           

          * In your case, using Authz will consolidate your security code into a single Authz Enforcement module that talks to the Policy Server. You don't need sepate Authroization modules based on whether its role-based security, rule-based security, etc. These details are abstracted through the Authz "Security policies" which are XACML policies.

           

          * Authz provides a standard Provisioning mechanism for these Policies. So you don't have to worry about having to support different provisioning mechanisms (role based with property files, role base with DB storage, etc). You get a common Provisioning service with a component based API that you can use to build your Provisioning tools (GUI based, static XML config based, etc). Thats upto you.

           

          * Yes Authz is pluggable. In fact it truly makes security a cross cutting concern, so you can swap out/customize the entire security behavior of your system.

           

          I understand that the concepts are quite abstract, so looking at code is probably the best way to get a good feel. I would recommend looking at the

           

          "Secure POJO" sample app in the codebase. It does POJO security (method-level and field-level) using AOP as the interception mechanism.

           

          It also demonstrates both the "Enforcement Phase" and the "Provisioning Phase".

           

          https://svn.jboss.org/repos/jbossidentity/authz/trunk/samples/

           

          Also attached are some more low level details about the framework and what it does

           

          Thanks

          Sohil

          • 2. Re: Need an authorization framework for Drools
            jervisliu

            Is Authz and jboss-xacml available in any maven repository? I dont seem to be able to find them.

             

            Thanks,

            Jervis

            • 3. Re: Need an authorization framework for Drools
              jervisliu

              OK, found XACML: http://repository.jboss.org/maven2/org/jboss/security/jbossxacml/2.0.5.CR2/. But still can not find Authz in maven repository.

               

              BTW, Authz trunk does not build (changed version.jboss.xacml from 2.0.5-SNAPSHOT to 2.0.5.CR2):

               

              D:\svn\authz\component-spec\src\main\java\org\jboss\security\authz\xacml\PolicyU
              til.java:[25,22] package javax.xml.bind does not exist

               

              D:\svn\authz\component-spec\src\main\java\org\jboss\security\authz\xacml\PolicyU
              til.java:[26,22] package javax.xml.bind does not exist

               

              D:\svn\authz\component-spec\src\main\java\org\jboss\security\authz\xacml\Attribu
              teDesignatorUtil.java:[25,22] package javax.xml.bind does not exist

               

              D:\svn\authz\component-spec\src\main\java\org\jboss\security\authz\xacml\Attribu
              teDesignatorUtil.java:[96,17] cannot find symbol
              symbol  : class JAXBElement
              location: class org.jboss.security.authz.xacml.AttributeDesignatorUtil

              • 4. Re: Need an authorization framework for Drools
                soshah

                Jervis-

                 

                Authz is not released on the maven repository yet. I need to spend sometime working on the maven release process for the Authz project. In the meantime, I would recommend compiling and installing the maven artifacts locally.

                 

                See this thread for details: http://community.jboss.org/message/521968#521968

                 

                Apparently there is a minor change on the jboss-xacml trunk that needs to be synched with its tag releases. I thought it was incorporated in the CR1 release, but apparently not. I will check into it with Anil and team.

                 

                Sorry for the inconvenience.

                 

                Thanks

                Sohil

                • 5. Re: Need an authorization framework for Drools
                  jervisliu

                  Hi Sohil, is there any place I can grab you on IRC? I tried to use Authz in Drools, similar to the POJO example, I got it compiled, but for some reasons, the SecurityInterceptor is not getting called. May need you to give me a hand. Thanks.

                   

                  Jervis

                  • 6. Re: Need an authorization framework for Drools
                    soshah

                    Hi Jervis-

                     

                    just like in the POJO sample, for the SecurityInterceptor to fire, you will need to make sure AOP is working properly.

                     

                    Things to check:

                     

                    * jboss-aop.xml file : This is where the AOP pointcuts are specified so it will properly instrument the code

                     

                    * make sure the codebase is properly instrumented

                     

                    In the POJO example, I am using compile time weaving inside maven when the module is built. This is the line of code in the pom.xml that does the trick:

                     

                              <!--  compile-time weaving of the module -->
                              <plugin>
                                  <groupId>org.jboss.maven.plugins</groupId>
                                  <artifactId>maven-jbossaop-plugin</artifactId>
                                  <version>${version.org.jboss.aop}</version>
                                  <executions>
                                    <execution>
                                      <id>compile</id>
                                      <configuration>
                                          <!-- if you want to include dependencies from the current module
                                           (only needed if a class inherits a class thats not defined in this module
                                        -->
                                        <includeProjectDependency>false</includeProjectDependency>
                                        <aoppaths>                  
                                          <aoppath>src/main/resources/jboss-aop.xml</aoppath>
                                        </aoppaths>                
                                      </configuration>
                                      <goals>
                                        <goal>compile</goal>
                                      </goals>
                                    </execution>
                                  </executions>
                              </plugin>

                     

                    Hope this points a bit in the right direction for your evaluation.

                     

                    If you have more questions, you can IM me. My Jabber ID is: sweep.shot@gmail.com

                     

                    Thanks

                    Sohil

                    • 7. Re: Need an authorization framework for Drools
                      jervisliu

                      yes, the trick is how to get AOP working properly. So far I only managed to get AOP working in loadtime mode. The compile time weaving is still not working.

                      If the class that contains pointcut is located in the same module where the unit test is running from, then AOP works with compile time weaving. Otherwise it does not work.

                       

                      BTW, would you recommend using compile time weaving only? I do find that loadtime AOP is very very slow, though I have not tried any loadtime optimization yet. I would imagine one obvious advantage of using loadtime AOP is that ppl do not have to recompile their codes with AOP. For example, in Drools, I can keep everything related to security under a module called drools-security. The authz used in drools-security module will intercept calls to certain classes located under drools-core module. With loadtime weaving, I wont need to compile drools-core module with AOP.

                      • 8. Re: Need an authorization framework for Drools
                        soshah

                        >If the class that contains pointcut is located in the same module where the unit test is running from, then AOP works with compile time weaving. >Otherwise it does not work.

                         

                        I am definitely a beginner in AOP. In fact the first time I have used JBoss AOP is when creating this sample. However, AFAIK, the maven AOP plugin does have something to include dependencies of the current module for compile time weaving. I have not used it, but I am guessing digging deeper into the maven plugin may give you what you are looking to do.

                         

                        Again, an AOP expert would be more accurate, but I would think compile time weaving should give better performance at runtime as opposed to load time weaving. Not sure, how the performance gap is closed by optimizing the load time weaving.

                         

                         

                        >For example, in Drools, I can keep everything related to security under a module called drools-security. The authz used in drools-security module will >intercept calls to certain classes located under drools-core module. With loadtime weaving, I wont need to compile drools-core module with AOP.

                         

                        Agreed. This is definitely an advantage. I guess the trade off is seeing how the runtime performance is impacted.

                         

                        You can probably achieve the same benefit with compile time weaving, where all the core drools code can execute without any security injection in development (like unit testing, may be some integration testing where security is not involved).

                         

                        But when you build out the the final project, you can do compile time weaving of the drools security module say using a different maven profile or something like that.

                         

                        That way core drools code can stay without any security code when it needs to, but when the whole project is assembled, the drools security module is integrated.

                         

                        Again, this is probably one of the biggest benefit to me for making security a truly cross cutting concern of an App

                        • 9. Re: Need an authorization framework for Drools
                          soshah

                          btw...just to clarify, AOP is one of many inteception mechanism you can use for the security Enforcement Phase.

                           

                          You don't always have to use AOP since it comes with its own side effects that we are currently discussing. As a developer of Authz you can evaluate your application tier and decide what is the most elegant way to intercept.

                           

                          For instance, if I am integrating security in the HTTP tier, AOP would not be a natural fit. Servlet Filters are best suited for the job.

                           

                          In the JSF tier, I would probably say PhaseListeners.

                           

                          So when integrating in Drools, do consider some options when integrating the Authz Enforcement Phase besides AOP