JSR 115: Java^TM Authorization Contract for Containers

Updates to the Original JSR

Note that this JSR was completed under JCP 2.1 but moved to JCP 2.6 as part of Maintenance.

---

Original Java Specification Request (JSR)

Identification | Request | Contributions | Additional Information

Section 1. Identification

Submitting Member: Sun Microsystems, Inc

Name of Contact Person: Ron Monzillo

E-Mail Address: ronald.monzillo@east.sun.com

Telephone Number: +1 781 442 0968

Fax Number: +1 781 224 1610

Specification Lead: Ron Monzillo

E-Mail Address: ronald.monzillo@east.sun.com

Telephone Number: +1 781 442 0968

Fax Number: +1 781 224 1610

Initial Expert Group Membership:

Entegrity Solutions
Entrust technologies
International Business Machines
Oracle Corporation
Silverstream Software
Sun Microsystems

Please let us know if your company or organization would like to be added to the Expert Group. Note that expert group members must have signed the JSPA.

Section 2: Request

2.1 Please describe the proposed Specification:

The proposed specification will define new java.security.Permission classes to satisfy the J2EE role-based, authorization model. The specification will define the binding of container access decisions to operations on instances of these permission classes. The specification will define the semantics of policy providers that employ the new permission classes to address the authorization requirements of J2EE, including the following:

• the definition of roles as permission collections
• the granting to principals of permission collections corresponding to roles
• the determination of whether a principal has been granted the permissions of a role (i.e.isCallerInRole)
• the definition of identifier to role mappings that bind application embedded identifiers to permission collections corresponding to roles

The specification will define the installation and configuration of authorization providers for use by containers. The specification will define the interfaces that a provider must make available to allow container deployment tools to create and manage permission collections corresponding to roles.

Providers must make interfaces available to administrators and deployers that may be used to configure the policy of the provider, especially as necessary to grant permission collections to principals. Providers are expected to differentiate themselves in the details and semantics of these interfaces.

2.2 What is the target Java platform? (i.e., desktop, server, personal, embedded, card, etc.)

JDK 2 SDK, Enterprise Edition, V 1.3 and above

2.3 What need of the Java community will be addressed by the proposed specification?

• J2EE container vendors would like to integrate required authorization functionality within their J2EE containers without being forced to implement it themselves, or limited to a single implementation.
• J2EE container authorization requirements must be reconciled with the J2SE permissions and policy model, especially such that containers can share authorization policy with other Java application contexts.
• J2EE system integrators need to be able to integrate containers with existing, authorization policy infrastructure.

2.4 Why isn't this need met by existing specifications?

There is no standard specification for the mapping of container access decisions to operations on J2SE permission objects obtained from J2SE policy providers. Without such a specification, the stated needs cannot be satisfied.

2.5 Please give a short description of the underlying technology or technologies:

The J2EE Servlet and EJB containers serve as an authorization boundary between callers and container-hosted components. When a container receives a request for a component, it determines if the caller has been granted permission to perform the request on the component. Both the Servlet and EJB APIs also provide an interface for a component to ask its container if its caller has been granted the permissions that correspond to an identified role.

The J2SE security architecture provides a fine-grained access control mechanism based on a policy-driven permission model.
For the J2SE reference implementation, the policy is represented external to the Java runtime using a simple syntax that grants permissions to authenticated entities. Authenticated entities are modeled by the java.security.CodeSource class and classes that implement the java.securityPrincipal interface.

The java.security.Policy class defines methods that are implemented by a policy provider. It is the role of the policy provider to map the external security policy to the collections of permissions granted to authenticated entities.

2.6 Is there a proposed package name for the API Specification? (i.e., javapi.something, org.something, etc.)

javax.security.jacc

2.7 Does the proposed specification have any dependencies on specific operating systems, CPUs, or I/O devices that you know of?

No

2.8 Are there any security issues that cannot be addressed by the current security model?

The J2SE model is complete. This JSR seeks to specify objects within the model for use by J2EE containers.

2.9 Are there any internationalization or localization issues?

No

2.10 Are there any existing specifications that might be rendered obsolete, deprecated, or in need of revision as a result of this work?

No

2.11 Please describe the anticipated schedule for the development of this specification.

Community Draft		December 2001
Public Draft		February 2002
Proposed Final Draft		April 2002
Final Release		Aligned with J2EE 1.4 Platform Spec Final Release

Section 3: Contributions

3.1 Please list any existing documents, specifications, or implementations that describe the technology. Please include links to the documents if they are publicly available.

Enterprise Java Beans Specification, version 2.0
Java 2 Platform Enterprise Edition specification, v1.3
Java Security Architecture (JDK 1.2)
Java 2 Platform, Standard Edition, v 1.3, Security API Specification

Authorization SPI for Containers: Proposed Requirements

JSR-000085 Rules-based Authorization and Audit

3.2 Explanation of how these items might be used as a starting point for the work.

The requirement for an authorization SPI has grown out of discussions with J2EE licensees and JCP partners. The J2EE specifications define the authorization functionality required in containers. The proposed requirements document represents the status of our discussions, especially those that have focused on what is required of an authorization service provider to satisfy J2EE containers. JSR 85 provides relevant background and motivation for this work. The J2SE security documents describe existing interfaces and mechanisms for defining permission classes and policy providers.

Section 4: Additional Information (Optional)

4.1 This section contains any additional information that the submitting Member wishes to include in the JSR.

J2SE v1.4 (which post-dates the target platform) includes changes to support Dynamic Permissions that can facilitate the work of this JSR. Also, a new constructor and some new methods were added to achieve better integration of JAAS. The constructor was added to the java.security.ProtectionDomain class. Two new methods were added to the java.security.Policy class. Together, these changes allow the permissions corresponding to a subject (identified by principal) to be obtained from policy.

public ProtectionDomain(CodeSource codesource,
PermissionCollection permissions,
ClassLoader classloader,
Principal[] principals) {

The following methods were added to java.security.Policy:

public PermissionCollection getPermissions(ProtectionDomain domain)

public boolean implies(ProtectionDomain domain, Permission permission) {