PicketBox Authorization

<< Go Back to PicketBox Overview

 

PicketBox (Formerly JBoss Security) has support for authorization or access control


Types of Authorization

  1. Coarse Grained
  2. Fine Grained including Instance Based Authorization


Coarse Grained Authorization

 

You can use the PicketBoxAuthorizationModule to provide access control to your java application.  Please see the example below.

 


Fine Grained Authorization

  1. Standards based Oasis XACML v2 Authorization using JBossXACML
  2. Access Control Lists (ACLs) using PicketBox ACL

 

Sample Code for Coarse Grained Authorization

 

import java.security.Principal;
import java.util.HashMap;
import java.util.Map;

import javax.security.auth.Subject;

import org.jboss.security.AuthenticationManager;
import org.jboss.security.AuthorizationManager;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceType; 
import org.picketbox.config.PicketBoxConfiguration;
import org.picketbox.factories.SecurityFactory;

   //Variables
   private final String securityDomainName = "test";
   private final String configFile = "config/authorization.conf";
   
   public void testValidAuthorization() throws Exception
   { 
      SecurityFactory.prepare();
      try
      {
         PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
         idtrustConfig.load(configFile);

         AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
         assertNotNull(am);

         Subject subject = new Subject();
         Principal principal = getPrincipal("anil");
         Object credential = new String("pass");

         boolean result = am.isValid(principal, credential, subject);
         assertTrue("Valid Auth", result);
         assertTrue("Subject has principals", subject.getPrincipals().size() > 0);

         AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
         assertNotNull(authzM);
         Resource resource = getResource();
         int decision = authzM.authorize(resource, subject);
         assertTrue(decision == AuthorizationContext.PERMIT);
      }
      finally
      {
         SecurityFactory.release();
      }
   }
   
   public void testInvalidAuthorization() throws Exception
   {
      SecurityFactory.prepare();
      try
      {
         PicketBoxConfiguration idtrustConfig = new PicketBoxConfiguration();
         idtrustConfig.load(configFile);

         AuthenticationManager am = SecurityFactory.getAuthenticationManager(securityDomainName);
         assertNotNull(am);

         Subject subject = new Subject();
         Principal principal = getPrincipal("anil");
         Object credential = new String("pass");

         boolean result = am.isValid(principal, credential, subject);
         assertTrue("Valid Auth", result);
         assertTrue("Subject has principals", subject.getPrincipals().size() > 0);

         AuthorizationManager authzM = SecurityFactory.getAuthorizationManager(securityDomainName);
         assertNotNull(authzM);
         Resource resource = getResource();
         int decision = authzM.authorize(resource, subject);
         assertTrue(decision == AuthorizationContext.PERMIT);
      }
      finally
      {
         SecurityFactory.release();
      }
   }
   
   private Principal getPrincipal(final String name)
   {
      return new Principal()
      {
         public String getName()
         {
            return name;
         }
      };
   }
   
   private Resource getResource()
   {
      return new Resource()
      {
       public ResourceType getLayer()
       {
          return ResourceType.IDTRUST;
       }

       public Map<String, Object> getMap()
       {
          return new HashMap<String,Object>();
       }
      };
   }

 

As usual we have a SecurityFactory.prepare() and SecurityFactory.release() in a try/finally structure to initialize and release picketbox.

 

The authorization.conf looks as follows:

<?xml version='1.0'?> 
 
<policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
         xsi:schemaLocation="urn:jboss:security-config:5.0"
         xmlns="urn:jboss:security-config:5.0"
         xmlns:jbxb="urn:jboss:security-config:5.0">
   <application-policy name = "test"> 
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required"> 
             <module-option name = "name">1.1</module-option>
             <module-option name = "succeed">true</module-option>
             <module-option name = "throwEx">false</module-option> 
          </login-module> 
       </authentication> 
       <authorization>
          <policy-module 
            code="org.picketbox.plugins.authorization.PicketBoxAuthorizationModule">
            <module-option name="roles">validuser</module-option>
          </policy-module>
       </authorization>
    </application-policy>  
</policy>

 

In this case, PicketBoxAuthorizationModule is configured with a comma separated list of roles (validuser).


PicketBox Authorization Using Java Annotations

 

Suppose you do not want to work with xml config files and want to provide the configuration via Java Annotations, then you can use the @Authorization annotation.

 

A POJO may look:

import org.jboss.security.annotation.Authentication;
import org.jboss.security.annotation.Authorization;
import org.jboss.security.annotation.Module;
import org.jboss.security.annotation.ModuleOption;

import org.jboss.security.auth.spi.UsersRolesLoginModule;
import org.picketbox.plugins.authorization.PicketBoxAuthorizationModule;

/**
 * POJO with both Authentication and Authorization annotations 
 */
@Authentication(modules={@Module(code = UsersRolesLoginModule.class, options =
{@ModuleOption})})
@Authorization(modules ={@Module(code = PicketBoxAuthorizationModule.class, options =
{@ModuleOption(key="roles",value="validuser")})})
public class AuthAuthorizationAnnotatedPOJO
{ 
}

 

 

Now the test code will be:

@Test
   public void testAuthenticationAndAuthorization() throws Exception
   {
      AuthAuthorizationAnnotatedPOJO pojo = new AuthAuthorizationAnnotatedPOJO();
      
      PicketBoxProcessor processor = new PicketBoxProcessor(); 
      processor.setSecurityInfo("anil", "pass");
      processor.process(pojo);
      
      Principal anil = new SimplePrincipal("anil");
      assertEquals("Principal == anil", anil, processor.getCallerPrincipal());
      Subject callerSubject = processor.getCallerSubject();
      assertNotNull("Subject is not null", callerSubject);
      assertTrue("Subject contains principal anil", callerSubject.getPrincipals().contains(anil));
      RoleGroup callerRoles = processor.getCallerRoles();
   }

 

Because of the @Authorization annotation, the PicketBoxProcessor process method will do the authorization.


@Authorization Annotation

Details are provided at PicketBoxSecurityAnnotations

 

 

<< Go Back to PicketBox Overview