OpenJACC is an implementation of the Java Authorization Contract for Containers. OpenJACC will allow fine-grained declarative access control of J2EE applications. OpenJACC can be deployed in any J2EE Server which supports the JACC interface; in particular OpenJACC can be deployed in any J2EE 1.4 compliant application server.
The J2EE Servlet and EJB containers serve as an authorization boundary between callers and container-hosted components. When a container receives a request for a component, it determines if the caller has been granted permission to perform the request on the component. Containers which support the JACC API can delegate the authorization decision to a JACC Provider, e.g. OpenJACC.
Currently, no open-source or commercial J2EE Application Server provides method-level context-dependent declarative authorization out-of-the-box. Such authorization features are only supported by commercial security products which use application-server proprietary APIs. OpenJACC will provide such fine-grained declarative authorization using standard APIs.
OpenJACC will support the definition of fine-grained authorization policies in xml configuration files. Authorization policies will be defined using an expression language. Using the Expression Language, complex boolean expressions can be constructed which utilize, for example, ejb method parameters. In the future, we hope to provide for authorization policies using XACML, as well as other scripting languages, e.g. ECMA Script. Apache JEXL will be supported first, as it is fairly easy to use.
OpenJACC will first provide support for WebLogic Server 8.1 using the Authorization features of theWebLogic Server Security Service Provider Interface. Although this interface is not JACC Compliant, it is very similar to the JACC specification. WLS 8.1 will be supported first, as it is production-grade and widely deployed.
Development of a JACC Provider will begin in earnest as soon as WebLogic Server 9.0 is GA. WLS 9.0 will be J2EE 1.4 compliant and implement the Container side of the JACC contract.
I've often encountered situations where powerful declarative access control was desired; that's what lead me to the development of OpenJACC. All application servers allow declarative access control based on user group membership. Access to resources, e.g. EJB Functions, can be limited users who belong to roles. The question, does 'the caller belong to the role' usually boils down to group membership.
This type of declarative access control is very limited, and leads to security logic being implemented in the application. The goal of OpenJACC is to enrich declarative access control. Some simple examples include:
In the next example, users are granted access, if they are a member of the HeavyTrader role and the second argument to the function is greater than 200, or if they are a member of the statelessSessionTester role (defined in the previous example).
(roles.contains('HeavyTrader') && args[1] > 200) || roles.contains('statelessSessionTester')
The expressions above are written in JEXL, a simple expression language. The execution context contains the following:
All method arguments are placed in a Vector of objects. Note that, the obects may be very complex; they can be navigated using simple expression language semantics. Say, for example, that the argument was a Loan object, and the amount was an attribute (Loan has a getPrincipal():int function). We could instead write:
args[0].loan.principal<=10000 || subject.isUserInGroup('Manager')
This says that if the loan's principal is more than 10000, the user has to be a manager to approve it.
The Caller's Subject is available (actually, the subject is 'wrapped' making it easier to work with in the expression language). The subject contains the Principals of the caller which includes the groups the caller belongs to.
Say, for example, a test users whose name starts with 'test' are allowed to execute certain functionality.
subject.username.startsWith("test")
subject.isUserInGroup('Trader') && subject.isUserInGroup('HeavyUsers')In the example above, the user is a member of the role, if he is a member of both the Trader and the HeavyUsers groups.
(args[0].loan<=10000 && user.personal.title='Controller' ) && subject.principals['Manager'] != nullThe user object contains multiple 'property sets'. Each property set is a scope for multiple properties. Each property sets is typically pulled from a single source, e.g. LDAP or a Database. (not implemented yet)
-Dweblogic.alternateTypesDirectory=<OPENJACC_HOME>/out/mbeantypesThis directory contains the OpenJACC WLS SSPI Role Mapper Provider Jar.
-Dorg.openjacc.policy=<Policy Root>Refer to <OPENJACC_HOME>/src/org/openjacc/test/policy for example policies.
This has been tested with WLS version 8.1 service pack 4 on Windows XP and SuSE Linux 9.2. This should work on any supported WLS 8.1 platform. This document was last updated on 2005-04-11.