From: Roland.Schemers@Eng (Roland Schemers)
Message-Id: <199710270748.XAA11139@crypto.eng.sun.com>
Subject: Re: java.securty.AccessControlContext
To: clark.evans@gartner.com (Clark Evans)
Date: Sun, 26 Oct 1997 23:48:08 -0800 (PST)
In-Reply-To: <199710270621.AA09062@interlock.gartner.com> from "Clark Evans" at Oct 27, 97 01:22:57 am
>
> Thank you for replying to my last question. New question(s)?
>
> With reference to page:
> http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/security-spec.doc11.html
>
> Say you have two threads of execution A and B.
> Thread A is currently running method a() of object ObA.
> Thread B is currently running method b() of object ObB.
> Resource X requires a permission P to invoke x().
>
> If a() posts an event to ObB (in a different thread)
> then ObB uses the security context of thread B
> and not the context of thread A. Suppose resource X.x()
> is required to do the work. Delemma.
>
> B is doing the work, A has the permissions.
>
> Solution: Create a java.security.AccessControlContext
> "acc" and pass it from thread A to thread B ?
>
> Hmmm. In the code for X.x() would have something like this:
> {
> if( ! java.securty.AccessController.checkPermission( myPermission) )
> raise SecurityException;
>
> // rest of code goes here.
> }
>
> Assume that this code is part of the JDK or a compiled version
> is supplied by a third party. How is ObB.b() going to tell X.x()
> that it has thread A's security? The AccessController will only
> return thread B's security. Sure ObB has a AccessControlContext
> object with A's security, but how does this information make its way
> down to X.x()?
The model/pattern is you have to re-write X.x, so that instead of
calling AccessController.checkPermission, it calls checkPermission
on the AccessControlContext. Note that the code that creates the
context in thread A should be "trusted". i.e., it should be from
the same code base as the code being run in thread B.
Also note that in this model, thread B already has access to all the
resources. It is simply checking the context to make sure the
thread that initiated the request has permisions.
> Another question, suppose that thread A only wanted to give permission P
> to thread B and not Permission N,M,or O. Is this possible?
Maybe the above answered this. thread A doesn't give permissions to anyone.
It is assumed that the code running in thread A is trusted, and simply
gets the AccessControlContext, and passes it along with the request which
thread B will later check. Note that holding a context doesn't give permission
to anyone.
roland