-
Type:
Enhancement
-
Resolution: Fixed
-
Priority:
P3
-
Affects Version/s: 1.4.0
-
Component/s: security-libs
-
None
-
beta3
-
generic
-
solaris_7
it would be nice to perform generalized expansions inside of permission
name strings. currently ${self} can be expanded into the relevant
principal/name pair. however, ${self} is not in a generalized form,
and actually can be confused with system property expansion.
it would be better to change the syntax to ${{[protocol]:[protocol_data]}}.
the colon and [protocol_data] are optional.
the double bracket would do a good job preventing collisions with
values that should be expanded as system properties.
[protocol] might be "self", "alias", or something else in the future.
if "self", then the current "self" expansion is performed.
if "alias", then a keystore alias substitution is performed
(javax.security.auth.x500.X500Principal "DN"),
where "DN" represents the distinguished name of the alias owner.
the alias would be specified in the [protocol_data].
thus the entire string would be something like: ${{alias:duke}}
this expansion would occur in permission names in policy entries.
for example:
grant {
permission foo "bar ${{alias:duke}}";
};
would get expanded to:
grant {
permission foo "bar javax.security.auth.x500.X500Principal \"cn=duke\"";
};
assuming "cn=duke" represents alias duke's DN.
the original self expansion is still supported:
grant {
permission foo "bar ${{self}}";
};
gets expanded to:
grant {
permission foo "bar principalClass \"principalName\"";
};
where principalClass and "principalName" represent the principal
associated with the current Subject on the thread.
name strings. currently ${self} can be expanded into the relevant
principal/name pair. however, ${self} is not in a generalized form,
and actually can be confused with system property expansion.
it would be better to change the syntax to ${{[protocol]:[protocol_data]}}.
the colon and [protocol_data] are optional.
the double bracket would do a good job preventing collisions with
values that should be expanded as system properties.
[protocol] might be "self", "alias", or something else in the future.
if "self", then the current "self" expansion is performed.
if "alias", then a keystore alias substitution is performed
(javax.security.auth.x500.X500Principal "DN"),
where "DN" represents the distinguished name of the alias owner.
the alias would be specified in the [protocol_data].
thus the entire string would be something like: ${{alias:duke}}
this expansion would occur in permission names in policy entries.
for example:
grant {
permission foo "bar ${{alias:duke}}";
};
would get expanded to:
grant {
permission foo "bar javax.security.auth.x500.X500Principal \"cn=duke\"";
};
assuming "cn=duke" represents alias duke's DN.
the original self expansion is still supported:
grant {
permission foo "bar ${{self}}";
};
gets expanded to:
grant {
permission foo "bar principalClass \"principalName\"";
};
where principalClass and "principalName" represent the principal
associated with the current Subject on the thread.