JACC

JACC is the Java Authorization for Container Contracts specification. This allows one to externalize the implementation of the java.security.Policy class that is used to authorize the JACC defined permission. The JACC specification can be found here: Java Authorization Contract for Containers

 

The JBoss JACC Integration Service

org.jboss.security.jacc.SecurityService is the service which installs a java.security.Policy implementation that handles the JACC permission checks.

On startup this service looks to the JACC defined javax.security.jacc.policy.provider system property. If this is not specified, it defaults to org.jboss.security.jacc.DelegatingPolicy which is the JAAS based implementation described below.

 

The SecurityService also installs the javax.security.auth.Subject.container PolicyContextHandler key for the active Subject handler to provide access to the authenticated subject in the context of a call.

 

A minimal configuration for the SecurityService would be:

  <!-- JACC security manager and realm mapping -->
  <mbean code="org.jboss.security.jacc.SecurityService"
    name="jboss.security:service=JACCSecurityService" xmbean-dd="">
    <xmbean>
      <description>The JACC security Policy service</description>
      <operation>
        <description>The start lifecycle operation</description>
        <name>start</name>
      </operation>
      <operation>
        <description>The stop lifecycle operation</description>
        <name>stop</name>
      </operation>
    </xmbean>
  </mbean>

 

 

In JBoss Application Server v5.x, you can specify this using the Microcontainer notation with jacc-jboss-beans.xml

 

 

<deployment xmlns="urn:jboss:bean-deployer:2.0">
    <bean name="JaccPolicyProvider"
        class="org.jboss.security.jacc.DelegatingPolicy">
        <constructor factoryMethod="getInstance"
            factoryClass="org.jboss.security.jacc.DelegatingPolicy"/>
    </bean>

    <bean class="org.jboss.security.jacc.SecurityService"
        name="JaccSecurityService">
        <property name="policy"><inject bean="JaccPolicyProvider" property="policyProxy"/></property>
    </bean>
</deployment>

JBoss Application Server v5.x and EAP 5.x

 

Starting JBoss AS 5.x, we provide the flexibility to define a JACC Authorization Module as default for all web/ejb applications or at individual security domain level.

 

 

Use Case 1:  Apply JACC to all web applications deployed on JBoss AS

This is when you want JACC to be the default authorization stack for your web applications.

 

In JBAS/server/<conf>/deploy/security/security-policies-jboss-beans.xml,   under the jboss-web-policy,  change to:

 

<authorization>
  <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/>
</authorization>

 

 

Use Case 2: Apply JACC to a web application with a security domain "xxx"

 

Your security domain configuration should look something like this:

 

<deployment xmlns="urn:jboss:bean-deployer:2.0">
  <application-policy xmlns="urn:jboss:security-beans:1.0" name="xxx">
   <authentication>
     <login-module code="..." />
   </authentication>
   <authorization>
         <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
      </authorization>
</application-policy>
</deployment>

 

 

 

 

Use Case 3:  Apply JACC to all ejb applications deployed on JBoss AS

This is when you want JACC to be the default authorization stack for your ejb applications.

 

In JBAS/server/<conf>/deploy/security/security-policies-jboss-beans.xml,   under the jboss-ejb-policy,  change to:

 

 

<authorization>
  <policy-module code="org.jboss.security.authorization.modules.JACCAuthorizationModule" flag="required"/>
</authorization>

 

 

 

Use Case 4: Apply JACC to an ejb application governed by security domain "xxx"

 

Please follow the configuration in Use Case 2 above.

JBoss Application Server v4.x and EAP 4.x

To actually incorporate this into the ejb and web containers requires

modifying the security layers of each. In the ejb container configurations,

the org.jboss.ejb.plugins.SecurityInterceptor needs to be replaced with the org.jboss.ejb.plugins.JaasAuthenticationInterceptor + org.jboss.ejb.plugins.JaccAuthorizationInterceptor pair as illustrated here:

 

 <container-configuration>
   <container-name>Standard Stateless SessionBean/JACC</container-name>
   <call-logging>false</call-logging>
   <invoker-proxy-binding-name>stateless-rmi-invoker</invoker-proxy-binding-name>
   <container-interceptors>
     <interceptor>org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor</interceptor>
     <interceptor>org.jboss.ejb.plugins.LogInterceptor</interceptor>
     <!-- Replaced the SecurityInterceptor with the JaasAuthenticationInterceptor
     JaccAuthorizationInterceptor pair
     -->
     <interceptor>org.jboss.ejb.plugins.JaasAuthenticationInterceptor</interceptor>
     <interceptor>org.jboss.ejb.plugins.JaccAuthorizationInterceptor</interceptor>
     <!-- CMT -->
     <interceptor transaction="Container">org.jboss.proxy.ejb.NoTxPropagationInterceptor</interceptor>
     <interceptor transaction="Container">org.jboss.ejb.plugins.TxInterceptorCMT</interceptor>
     <interceptor transaction="Container">org.jboss.ejb.plugins.CallValidationInterceptor</interceptor>
     <interceptor transaction="Container" metricsEnabled="true">org.jboss.ejb.plugins.MetricsInterceptor</interceptor>
     <interceptor transaction="Container">org.jboss.webservice.server.ServiceEndpointInterceptor</interceptor>
     <interceptor transaction="Container">org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor</interceptor>
     <!-- BMT -->
     <interceptor transaction="Bean">org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor</interceptor>
     <interceptor transaction="Bean">org.jboss.ejb.plugins.TxInterceptorBMT</interceptor>
     <interceptor transaction="Bean">org.jboss.ejb.plugins.CallValidationInterceptor</interceptor>
     <interceptor transaction="Bean" metricsEnabled="true">org.jboss.ejb.plugins.MetricsInterceptor</interceptor>
     <interceptor transaction="Bean">org.jboss.webservice.server.ServiceEndpointInterceptor</interceptor>
     <interceptor>org.jboss.resource.connectionmanager.CachedConnectionInterceptor</interceptor>
   </container-interceptors>
   <instance-pool>org.jboss.ejb.plugins.StatelessSessionInstancePool</instance-pool>
   <instance-cache></instance-cache>
   <persistence-manager></persistence-manager>
   <container-pool-conf>
     <MaximumSize>100</MaximumSize>
   </container-pool-conf>
 </container-configuration>

 

In the web container you need to edit the jbossweb-tomcat50.sar/server.xml and enable the JaccAuthorizationRealm over the default JBossSecurityMgrRealm as shown here:

<Server>
...
         <!-- The JAAS based authentication and authorization realm implementation
         that is compatible with the jboss 3.2.x realm implementation.
         <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"></Realm>
         -->
         <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
         behavior of JBossSecurityMgrRealm, but overrides the authorization
         checks to use JACC permissions with the current java.security.Policy
         to determine authorized access.
         -->
         <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"></Realm> 

 

The JAAS Based JACC Implementation

As of the 4.0.0 release, the default JACC implementation bundled with jboss is a mapping from the 3.2.x overloading of the JAAS authentication pattern which loads the user's declarative roles into the authenticated Subject. This is coupled to the default javax.security.jacc.PolicyConfigurationFactory.provider implementation class org.jboss.security.jacc.JBossPolicyConfigurationFactory. The complete set of classes making up the default JACC implementation include:

  • org.jboss.security.jacc.DelegatingPolicy

  • org.jboss.security.jacc.ContextPolicy

  • org.jboss.security.jacc.JBossPolicyConfigurationFactory

  • org.jboss.security.jacc.JBossPolicyConfiguration

 

A XACML based JACC Implementation

This does not currently exist. Its an alternate implementation.

Feature Request: JBAS-2673

UPDATE:  JBAS packages an XACML engine and has native support for XACML for Web and EJB applications. ( Link1 Link2 )

 

Delegation to JACC providers for unsecured web resources

Starting jboss-4.0.4.GA, due to the feature request JBAS-2519, we can delegate to JACC provider for unsecured resources. JaccDelegationForUnsecuredWebResources

 

Bypass Authorization Checks in an external JACC Provider

Starting JBoss-4.2, due to feature request[JBAS-1824|http://jira.jboss.com/jira/browse/JBAS-1824], for role-name of  assigned to any security constraint in web.xml, the container generates a WebResourcePermission(uri,null). Based on this permission allocated to role name "", the policy provider may decide to bypass authorization.

 

Example: Test Policy http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/testsuite/src/main/org/jboss/test/jacc/test/allstarrole/AllStarRoleJaccPolicy.java