Use of JCP site is subject to the
JCP Terms of Use and the
Oracle Privacy Policy
|
JSRs: Java Specification Requests
JSR 85: Rules-based Authorization and Audit
This JSR has been Rejected
Identification |
Request |
Contributions |
Additional Information
Title: Rules-based
Authorization and Audit Summary: Section 1. Identification Submitting Member: Entegrity Solutions Name of Contact Person: Hal Lockhart E-Mail Address: hal.lockhart@entegrity.com Telephone Number: 508-624-9600 x260 Fax Number: 508-229-0338 Specification Lead: Hal Lockhart E-Mail Address: hal.lockhart@entegrity.com Telephone Number: 508-624-9600 x260 Fax Number: 508-229-0338 Initial Expert Group Membership: Section 2: Request Server More flexible, consistent and fully specified model for remote
authorization and audit trail Current JAAS and EJB security specifications conflict and overlap. Both
are based only on simple permissions model. Current Java RMI Security specification implies an authorization model
in which applications specify security policies "on the fly". We believe a
superior approach is to move security policy out to an external
non-volatile store which can be modified by applications and/or management
tools. This has a number of benefits. ?
It allows developers to get the benefits of strong,
flexible security mechanisms without having to write a lot of security code ?
It gives organizations the flexibility to evolve
security policies without having to modify source code ?
It allows security specialists to define and verify
security policies as apposed to requiring developers to also be security
experts ?
It allows organizations to more easily implement
sound and consistent policies across all applications. Mostly traditional mechanisms for authorization, audit trail. Key
component is authorization engine which underlies a number of commercial
products, including Entegrity's AssureAccess. TBD No Yes, see comments above. No JAAS, EJB Security, J2EE Security Requirements, JSR 76 (RMI Security) Section 3: Contributions Entegrity AssureAccess API Specification Provides a model of such a service, which has been implemented. Section 4: Additional Information
(Optional) JSR-000085 Rules-based Authorization and Audit javadoc
We are seeking the advice of the Java Community as to the best way to
proceed. We strongly feel this type of rules-based authorization is needed.
We have implemented the current EJB security model in our products. Our
customers are asking for JAAS, but we have not been able to resolve the
conflicts between it and EJB. There may be a relationship between this and
the RMI security work, but we are not sure. We also feel that the "managed
policy store" model is superior to the "on the fly" model for authorization.
|