users@glassfish.java.net

JACC question

From: Laird Nelson <ljnelson_at_gmail.com>
Date: Wed, 26 Jan 2011 12:12:16 -0500

I'm a newcomer to JACC in Glassfish.

As I understand it, JACC is a way for me to supply a Policy implementation
that applies to the entire application server (!) and governs how various
role-based permissions are supplied to it by Glassfish.

I would like to confirm one very surprising (to me) assumption: does this
REALLY mean that my Policy must therefore be prepared to handle access
decisions for ALL applications that might be present on my Glassfish
instance? What if I don't have control over the other applications?

Suppose, for example, that BigCo has an .ear file on my server. Suppose
further I have an app that I wrote on the same server. I would like to
perform detailed authorization checks on EJBs in my application, but would
like to leave BigCo's .ear file alone, since I don't know anything about it.

If I'm reading the (absolutely impenetrable!) specification correctly, I
need to subclass java.security.Policy and override the implies() method.
That right there gives me pause, because I am now overriding security at the
VM level. What if BigCo requires a JACC provider to be installed as well?
How could our two Policy instances coexist?

Something seems amiss here; I hope it's me.

Best,
Laird