Details
-
Enhancement
-
Resolution: Fixed
-
P3
-
1.0
-
1.0
-
generic
-
solaris_2.6
Description
currently, principal-based policies only reside in the JAAS policy.
non-principal based policies reside in the regular Java 2 policy.
this has a negative side-effect. there's no way for you to
grant all Subjects permission to access their own Private Credentials.
the reason is because, in order for you to grant a particular
Subject permission to access its own private credentials, you need
to grant it a "SELF" PrivateCredentialPermission. the SELF functionality
for PrivateCredentialPermission is provided by the JAAS policy implementation
(not the PrivateCredentialPermission). therefore, the only place
you can grant "SELF" PrivateCredentialPermission is in the JAAS policy.
however, the JAAS policy prevents you from specifying grant statements
that do not have Principal information (default WILDCARD behavior
from the regular Java 2 Policy). thus, while you can grant the "SELF"
PrivateCredentialPermission to a particular Subject,
you can't grant it to ALL Subjects.
what's needed is an extension to the JAAS policy to support grant
statements like the following:
// this grants permissions to all SolarisPrincipals,
// regardless of their names
grant Principal com.sun.security.auth.SolarisPrincipal * {
permissions ...
};
notice the WILDCARD (*) is NOT in quotes. if you place it in quotes,
it is treated as the actual name of the SolarisPrincipal.
an extension of the above syntax would be to support:
// this grants permissions to all Principals,
// regardless of their classes and names
grant Principal * * {
permissions ...
};
thus, you could place a "SELF" PrivateCredentialPermission in the above
grant statement and grant all Subjects access to their own Private Credentials.
one could argue that instead of creating grant entries like this:
grant Principal * * {
};
we should allow non-Principal grant statements in the JAAS policy like this:
grant {
};
we are attempting to avoid permitting non-Principal grant statements because
admins and users will get confused. they will think that the non-Principal
grant statements in the JAAS policy should be in effect, even when there's
no Subject in the current ACC (Subject.doAs was never called). however,
that's not the case. the JAAS policy is only in effect after Subject.doAs
has been called. to mitigate this confusion, only Principal-based grant
entries are permitted in the JAAS policy.
lastly, we do NOT support the following syntax:
grant Principal * "charlie" {
};
the reason is that it's dangerous from a security perspective,
and its usefulness is questionable.
non-principal based policies reside in the regular Java 2 policy.
this has a negative side-effect. there's no way for you to
grant all Subjects permission to access their own Private Credentials.
the reason is because, in order for you to grant a particular
Subject permission to access its own private credentials, you need
to grant it a "SELF" PrivateCredentialPermission. the SELF functionality
for PrivateCredentialPermission is provided by the JAAS policy implementation
(not the PrivateCredentialPermission). therefore, the only place
you can grant "SELF" PrivateCredentialPermission is in the JAAS policy.
however, the JAAS policy prevents you from specifying grant statements
that do not have Principal information (default WILDCARD behavior
from the regular Java 2 Policy). thus, while you can grant the "SELF"
PrivateCredentialPermission to a particular Subject,
you can't grant it to ALL Subjects.
what's needed is an extension to the JAAS policy to support grant
statements like the following:
// this grants permissions to all SolarisPrincipals,
// regardless of their names
grant Principal com.sun.security.auth.SolarisPrincipal * {
permissions ...
};
notice the WILDCARD (*) is NOT in quotes. if you place it in quotes,
it is treated as the actual name of the SolarisPrincipal.
an extension of the above syntax would be to support:
// this grants permissions to all Principals,
// regardless of their classes and names
grant Principal * * {
permissions ...
};
thus, you could place a "SELF" PrivateCredentialPermission in the above
grant statement and grant all Subjects access to their own Private Credentials.
one could argue that instead of creating grant entries like this:
grant Principal * * {
};
we should allow non-Principal grant statements in the JAAS policy like this:
grant {
};
we are attempting to avoid permitting non-Principal grant statements because
admins and users will get confused. they will think that the non-Principal
grant statements in the JAAS policy should be in effect, even when there's
no Subject in the current ACC (Subject.doAs was never called). however,
that's not the case. the JAAS policy is only in effect after Subject.doAs
has been called. to mitigate this confusion, only Principal-based grant
entries are permitted in the JAAS policy.
lastly, we do NOT support the following syntax:
grant Principal * "charlie" {
};
the reason is that it's dangerous from a security perspective,
and its usefulness is questionable.