Re: [xacml-dev] Xacml with J2EE?

[<argyn@cox.net>]

Anne

I looked at your link.

>The current spec is at http://research.sun.com/projects/xacml/J2SEPolicyProvider.html

imho, J2SE's policies follow the concept of access control lists (acl). That's why XACML is going to bring W3C standard notation to Java policies. It's good.

However, in J2EE it's different. J2EE's security model is very simple comparing to J2SE's. Basically, you have a Principal with a list of Roles. You can declaratively map these Roles to J2EE components, so telling a container which roles can fire which EJBs, for example. They call this role-based security. There's no declarative instance-based security model, where you could authorize based on values of attributes of resources and or principals.

Programmatic security is even simpler: you have one method to get user credentials, and one method to find out if a user is in certain role. That's it.

What I've been thinking about is to find a way to extend J2EE's security model with "instance-based authorization". It's nowhere in the J2EE standard, of course.

I see it like this. I'd use notationsimilar to what you do in J2SE proposal to identify J2EE resources such as EJB beans. Entity bean getters would be attributes. Session EJB methods would be actions etc. 

Then, I'd have to plug PDP into J2EE containers. So, every EJB call would be evaluates by the PDP.

The trick is to map J2EE components properly to XACML elements such as resources and actions. Subjects are pretty straightforward - these are J2EE principals/credentials. I didn't do any work in this area yet, so it's just thoughts.

thanks,
Argyn