users@glassfish.java.net

Re: restarting an application from asadmin (or enabling a security policy _on_ deployment)

From: <Ronald.Monzillo_at_Sun.COM>
Date: Tue, 12 Jan 2010 14:18:56 -0500

On 01/12/10 02:50, Mathijs Kwik wrote:
> Hi Ron,
>
> That sounds very useful.
> Any chance I can get my hands on some alpha/beta code of the
> embedded-policy provider?
>
Mathijis,

If all goes well, I'll try to check in the new provider within the
glassfish security module.
In the mean time, you can take a look at the code under

v3/security/inmemory.jacc.provider

the new provider is in effect a refinement of the jacc provider at the
above location.
its commit method was enhanced to look for a policy file in the
application using
ClassLoader.getResource, and to use it to instantiate a per application
instance of sun.security.provider.PolicyFile. It delegates to this
PolicyFile impl of Policy
when a request is determined not to be granted as a result of a check
performed against the in-memory
policy and that of the baseline PolicyFile object.

The SharedState class was enhanced such that it holds a map of the
applications by policy context their
corresponding PolicyFile objects such that the provider
can lookup the correct PolicyFile instance to be applied for an
application/module.

There are some problems that still need to be solved. For example, how
to define
codesource based grants in the application policy file such that they
are relative to the
deployment location of the app. There is also the problem of determining
whether a trusted
party signed the archive, so that the policy system can decide whether
to accept the application
embedded policy, ...

> Or do I have to wait for a release?
>
> And the other option you gave might be not-too-hard too.
> Am I correct to assume I can write 1 application which manages the
> permissions for all other apps?
>
yes, in effect that app would be the management subsystem for the Policy
system.
the policy configuration interface of the policy system gets called
whenever an app
is deployed (please see the jacc contract for details). The jacc
interfaces may be of some
use to your management application, and you could extend any of the
providers as necessary to
support your management model.

Ron
> Is it possible for this app to hook into Policy#refresh to find out
> that new apps got deployed?
> Or some other way to find out? (I can ofcourse call asadmin
> list-applications from it every minute or so, not as nice).
> Or I can notify this app by hand (curl API call).
>
> Thanks
> Mathijs
>
> On Mon, Jan 11, 2010 at 8:51 PM, <Ronald.Monzillo_at_sun.com> wrote:
>
>> On 01/08/10 09:44, Hong Zhang wrote:
>>
>>> Hi, Mathijs
>>> No, currently there is no asadmin command for restarting application.
>>> But you can use the equivalent: "asadmin disable" + "asadmin enable".
>>> Not sure about the specifics with the security policy, security team
>>> might be able to help with a better alternative..
>>>
>> Glassfish v3 includes 2 policy providers, and others can be developed and
>> integrated.
>>
>> Of the 2 providers that ship with V3, the file based provider is configured
>> by default. The
>> file-based provider will detect and internalize changes to policy files when
>> Policy#refresh is called.
>>
>> Policy#refresh is called whenever any application is
>> deployed/undeployed/enabled, or disabled. It can also be
>> called explicitly by any application (that has been granted the setPolicy
>> SecurityPermission)
>>
>> For example, when application A is undeployed, the deployment system call
>> Policy#refresh, on the installed provider.
>> The file-based provider proceeds to check all the policy files for all the
>> deployed applications to determine if any
>> have changed since the last refresh. Any changed files are internalized such
>> that will be used for the corresponding
>> applications.
>>
>> Ron
>>
>> ps: we have been prototyping a third variant of the existing providers, that
>> will merge in policy rules from a policy file
>> embedded in the application archive. We'd like to make that available in an
>> upcoming release, and if this is something you
>> want to try for yourself, Glassfish supports the configuration of pluggable
>> authorization providers according to the jacc contract.
>>
>>
>>> - Hong
>>>
>>>
>>>> I am looking for a way to deploy applications and set their
>>>> app-specific security policy.
>>>>
>>>> At the moment I have to do it like this:
>>>> asadmin deploy myapp.war
>>>> asadmin disable myapp
>>>> [here I overwrite generated/policy/appname/modulename/granted.policy]
>>>> asadmin enable myapp
>>>>
>>>> While it works, it feels a bit hacky & dirty.
>>>> I tried deploying with --enabled=false (thus skipping the disable
>>>> step) but in that case enabling it will overwrite my policy file
>>>> again.
>>>>
>>>> Is there a way to use the AdminGui 'restart application' functionality
>>>> from asadmin?
>>>> If I change a granted.policy file and click the restart link in the
>>>> admin gui afterwards, this will affectuate my policy.
>>>>
>>>> Or a way to somehow set the policy on deployment? (like asadmin deploy
>>>> --policyfile=my.policy)
>>>> Or a way to include it in the .war file?
>>>>
>>>> I know it's also possible to put policies into server.policy and use
>>>> 'grant codeBase' to give policies to the app-specific code,
>>>> but I couldn't find a way to enable those without restarting the
>>>> domain (which would mean all apps on all virtual servers would suffer
>>>> a few seconds downtime which is unacceptable).
>>>>
>>>> Does anyone know of a better way to do this?
>>>>
>>>> Thanks,
>>>> Mathijs
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>