Towards a composable Policy delegation framework

The first step in putting together a Java Policy-based security system of any kind is to figure out what you're going to do when you have to delegate.

You will have to delegate certain permission checks in certain situations–there's just no pragmatic way around it.

Different security systems require different algorithms for checking permissions.?? Sometimes you might have several subsystems that all have to effectively vote on a permission check, and there will need to be an algorithm in place for such collaborative efforts that can resolve conflicts.

When a security system is asked whether a permission to do something is granted or not, it can respond in one of several ways.?? It can:

  • Grant the permission.?? This might not be the final word.
  • Deny the permission.?? This might not be the final word either.
  • Mandate the permission.?? For whatever reason, this security system's answer should be treated as the final word.
  • Prohibit the permission.?? For whatever reason, this security system's answer should be treated as the final word.
  • Not support the permission.?? The security system might not be equipped to render an answer at all for this kind of permission check.
  • Waffle.?? Perhaps the security system supports the permission, but cannot render a decision because of, say, conflicting information.

Ultimately, the caller is almost always interested at some level in a boolean response.

This sounds like an enum:

public enum PermissionEvaluation {

?? UNSUPPORTED,
?? INDETERMINATE,
?? DENIED,
?? PROHIBITED,
?? GRANTED,
?? MANDATED;

?? public boolean isAuthoritative() {
?????? return this == PROHIBITED || this == MANDATED;
?? }

?? public boolean toBoolean() {
?????? switch (this) {
?????? case GRANTED:
?????? case MANDATED:
?????????? return true;
?????? default:
?????????? return false;
?????? }
?? }
}

This enum captures the kinds of permission evaluations that are possible, the boolean values to which they reduce, and an indication of how "strong" or authoritative they are (in the absence of a higher authority).

From there, we might be able to extrapolate a PermissionEvaluator interface:

public interface PermissionEvaluator {

?? public PermissionEvaluation evaluate(final ProtectionDomain protectionDomain, final Permission permission);

}

Implementations of this interface would be able to answer the question–much like a java.security.Policy–"Is the supplied Permission granted, excluded, etc. in the context of the supplied ProtectionDomain?"

Picture, now, a whole chain of these returning various PermissionEvaluations for the same Permission and ProtectionDomain parameters.?? Now something will need to exist to combine the results and render a final boolean decision:

public interface PermissionEvaluationCombiner {

?? public boolean isAuthoritative(final ProtectionDomain protectionDomain, final Permission permission, final PermissionEvaluation evaluation);

?? public boolean combine(final ProtectionDomain protectionDomain, final Permission permission, final PermissionEvaluation… evaluations);

}

That would handle the true-or-false authorization questions and would help put together the building blocks of a composable delegating Policy-based authorization framework.?? Next up: handling the java.security.Policy#getPermissions(ProtectionDomain) method.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s