See the WebSphere eXtreme Scale Wiki for links to eXtreme Scale Version 7.0 documentation.
If you log in with your developerWorks ID, you can leave comments and feedback for the development team.

Previous step

The J2SE security tutorial step 2 - client authentication tutorial demonstrated how to enable authentication in an ObjectGrid cluster. As a result, no unauthenticated client can connect to your server and submit requests to your system. However, every authenticated client has the same permission or privileges to the server, such as reading, writing, or deleting data that is stored in the ObjectGrid maps. Clients can also issue any type of query. This section demonstrates how to use ObjectGrid authorization to give various authenticated users privileges.

Similar to many other systems, ObjectGrid adopts a permission-based authorization mechanism. ObjectGrid has different permission categories represented by different permission classes. This topic features MapPermission. For complete category of permissions, pleaser refer to Client authorization reference.

In ObjectGrid, the com.ibm.websphere.objectgrid.security.MapPermission class represents permissions to the ObjectGrid resources, specifically the methods of ObjectMap or JavaMap interfaces. ObjectGrid defines the following permission strings to access the methods of ObjectMap and JavaMap:

1. read: Grants permission to read the data from the map.
2. write: Grants permission to update the data in the map
3. insert: Grants permission to insert the data into the map.
4. remove: Grants permission to remove the data from the map.
5. invalidate: Grants permission to invalidate the data from the map.
6. all: Grants all permissions: read, write, insert, remote, and invalidate.

The authorization occurs when a client calls a method of ObjectMap or JavaMap. The ObjectGrid runtime checks different map permissions for different methods. If the required permissions are not granted to the client, an AccessControlException results.

This tutorial demonstrates how to use JAAS authorization to grant authorization map accesses for different users.

Enable ObjectGrid authorization

In order to enable authorization on the ObjectGrid. You need to set the securityEnabled to true for that paritcular ObjectGrid in the xml file. Security on the ObjectGrid means authorization. Use the following commands to create a new ObjectGrid xml with security enabled.

1. cd objectgridRoot/bin
2. cp SimpleApp.xml SecureSimpleApp.xml

Then add securityEnabled="true" on the ObjectGrid level as the following XML shows:

<?xml version="1.0" encoding="UTF-8"?>
<objectGridConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   
    xsi:schemaLocation="http://ibm.com/ws/objectgrid/config ../objectGrid.xsd" xmlns="http://ibm.com/ws/objectgrid/config">
    <objectGrids>
        <objectGrid name="accounting" securityEnabled="true">
            <backingMap name="customer" readOnly="false" copyKey="true"/>
        </objectGrid>
    </objectGrids>
</objectGridConfig>

Define authorization policy

Remember in the J2SE security tutorial step 2 - client authentication section, we created three users, cashier, manager, and administrator, in the key store. In this example, we will show that the user "cashier" only has read permissions to all the maps, and the user "manager" has all permissions.

We use JAAS authorization in this example. JAAS authorization uses authorization policy file to grant permissions to principals. We defined the following policy file og_auth.policy in the security directory:

grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
    principal javax.security.auth.x500.X500Principal "CN=cashier,O=acme,OU=OGSample" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "read ";
};

grant codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction"
    principal javax.security.auth.x500.X500Principal "CN=manager,O=acme,OU=OGSample" {
    permission com.ibm.websphere.objectgrid.security.MapPermission "accounting.*", "all";
};

Notice:

1. The codebase "http://www.ibm.com/com/ibm/ws/objectgrid/security/PrivilegedAction" is a specially-reserved URL for ObjectGrid. All ObjectGrid permissions granted to principals should use this special code base.
2. The first grant statement grants "read" map permission to principal "CN=cashier,O=acme,OU=OGSample", so the cashier will have and only have map read permission to all the maps in the ObjectGrid accounting.
3. The second grant statement grants "all" map permission to principal "CN=manager,O=acme,OU=OGSample", so the cashier will have all permissions to maps in the ObjectGrid accounting.

Launch server with authorization policy.

The JAAS authorization policy file can be set using the standard -D property:
-Djava.security.auth.policy=../security/ogAuth.policy

Execute the application.

After you create the above files, you can execute the application. Or download the updated application to get the updated files.

Use the following commands to start the catalog server. Refer to Starting a catalog service for more about launching a catalog server process.

1. cd objectgridRoot/bin
   • startOgServer.sh catalogServer -clusterSecurityFile ../security/security.xml -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"
   • startOgServer.bat catalogServer -clusterSecurityFile ../security/security.xml -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config"

The security.xml and server.props are created in the J2SE security tutorial step 2 - client authentication sample page.

Then, we can launch a secure container server using the following script:

1. cd objectgridRoot/bin
   • startOgServer.sh c0 -objectGridFile ../xml/SecureSimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndpoints localhost:2809 -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config" -Djava.security.auth.policy="../security/og_auth.policy"
   • startOgServer.bat c0 -objectGridFile ../xml/SecureSimpleApp.xml -deploymentPolicyFile ../xml/SimpleDP.xml -catalogServiceEndpoints localhost:2809 -serverProps ../security/server.props -jvmArgs -Djava.security.auth.login.config="../security/og_jaas.config" -Djava.security.auth.policy="../security/og_auth.policy"

Notice the following differences from the previous container server start command:

• Use SecureSimpleApp.xml instead of SimpleApp.xml
• Add another -Djava.security.auth.policy to set the JAAS authorization policy file to the container server process.

Now, we use the same command as used in the previous J2SE security tutorial step 2 - client authentication sample:

1. cd objectgridRoot/bin
2. java -classpath ../lib/objectgrid.jar;../applib/secsample.jar com.ibm.websphere.objectgrid.security.sample.guide.SecureSimpleApp ../security/security.ogclient.props manager manager1

Because user "manager" has all permissions to maps in the accounting ObjectGrid, the application runs fine.

Now, instead of using user "manager", we use user "cashier" to launch the client application.

1. cd objectgridRoot/bin
2. java -classpath ../lib/objectgrid.jar;../applib/secsample.jar com.ibm.ws.objectgrid.security.sample.guide.SecureSimpleApp ../security/security.ogclient.props cashier cashier1

The following exception results:

Exception in thread "P=387313:O=0:CT" com.ibm.websphere.objectgrid.TransactionException: 
   rolling back transaction, see caused by exception
        at com.ibm.ws.objectgrid.SessionImpl.rollbackPMapChanges(SessionImpl.java:1422)
        at com.ibm.ws.objectgrid.SessionImpl.commit(SessionImpl.java:1149)
        at com.ibm.ws.objectgrid.SessionImpl.mapPostInvoke(SessionImpl.java:2260)
        at com.ibm.ws.objectgrid.ObjectMapImpl.update(ObjectMapImpl.java:1062)
        at com.ibm.ws.objectgrid.security.sample.guide.SimpleApp.run(SimpleApp.java:42)
        at com.ibm.ws.objectgrid.security.sample.guide.SecureSimpleApp.main(SecureSimpleApp.java:27)
Caused by: com.ibm.websphere.objectgrid.ClientServerTransactionCallbackException: 
   Client Services - received exception from remote server:
     com.ibm.websphere.objectgrid.TransactionException: transaction rolled back, see caused by Throwable
        at com.ibm.ws.objectgrid.client.RemoteTransactionCallbackImpl.processReadWriteResponse(
            RemoteTransactionCallbackImpl.java:1399)
        at com.ibm.ws.objectgrid.client.RemoteTransactionCallbackImpl.processReadWriteRequestAndResponse(
            RemoteTransactionCallbackImpl.java:2333)
        at com.ibm.ws.objectgrid.client.RemoteTransactionCallbackImpl.commit(RemoteTransactionCallbackImpl.java:557)
        at com.ibm.ws.objectgrid.SessionImpl.commit(SessionImpl.java:1079)
        ... 4 more
Caused by: com.ibm.websphere.objectgrid.TransactionException: transaction rolled back, see caused by Throwable
        at com.ibm.ws.objectgrid.ServerCoreEventProcessor.processLogSequence(ServerCoreEventProcessor.java:1133)
        at com.ibm.ws.objectgrid.ServerCoreEventProcessor.processReadWriteTransactionRequest(ServerCoreEventProcessor.java:910)
        at com.ibm.ws.objectgrid.ServerCoreEventProcessor.processClientServerRequest(ServerCoreEventProcessor.java:1285)

        at com.ibm.ws.objectgrid.ShardImpl.processMessage(ShardImpl.java:515)
        at com.ibm.ws.objectgrid.partition.IDLShardPOA._invoke(IDLShardPOA.java:154)
        at com.ibm.CORBA.poa.POAServerDelegate.dispatchToServant(POAServerDelegate.java:396)
        at com.ibm.CORBA.poa.POAServerDelegate.internalDispatch(POAServerDelegate.java:331)
        at com.ibm.CORBA.poa.POAServerDelegate.dispatch(POAServerDelegate.java:253)
        at com.ibm.rmi.iiop.ORB.process(ORB.java:503)
        at com.ibm.CORBA.iiop.ORB.process(ORB.java:1553)
        at com.ibm.rmi.iiop.Connection.respondTo(Connection.java:2680)
        at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2554)
        at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:62)
        at com.ibm.rmi.iiop.WorkerThread.run(ThreadPoolImpl.java:202)
        at java.lang.Thread.run(Thread.java:803)
Caused by: java.security.AccessControlException: Access denied (
   com.ibm.websphere.objectgrid.security.MapPermission accounting.customer write)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:155)
        at com.ibm.ws.objectgrid.security.MapPermissionCheckAction.run(MapPermissionCheckAction.java:141)
        at java.security.AccessController.doPrivileged(AccessController.java:275)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:727)
        at com.ibm.ws.objectgrid.security.MapAuthorizer$1.run(MapAuthorizer.java:76)
        at java.security.AccessController.doPrivileged(AccessController.java:242)
        at com.ibm.ws.objectgrid.security.MapAuthorizer.check(MapAuthorizer.java:66)
        at com.ibm.ws.objectgrid.security.SecuredObjectMapImpl.checkMapAuthorization(SecuredObjectMapImpl.java:429)
        at com.ibm.ws.objectgrid.security.SecuredObjectMapImpl.update(SecuredObjectMapImpl.java:490)
        at com.ibm.ws.objectgrid.SessionImpl.processLogSequence(SessionImpl.java:1913)
        at com.ibm.ws.objectgrid.SessionImpl.processLogSequence(SessionImpl.java:1805)
        at com.ibm.ws.objectgrid.ServerCoreEventProcessor.processLogSequence(ServerCoreEventProcessor.java:1011)
        ... 14 more

This is because the user "cashier" does not have write permission, so it cannot update the map customer.

Now your system supports authorization. You can define authorization policies to grant different permissions to different users. For more readings about authorization, see topic: Client authorization reference.

Next step

Additional information

• ObjectGrid Security overview
• Starting a catalog service
• J2SE security tutorial step 1 - unsecured sample
• J2SE security tutorial step 2 - client authentication
• J2SE security tutorial step 4 - transport security

Wiki Disclaimer and License

© Copyright IBM Corporation 2007,2009. All Rights Reserved.