Appendix E - SAFPermission for OS/390

This class allows a program to do SAF (RACF®) like security checking. A SAFPermission contains a SecurityClass, an entityName and an access. Basically, you supply these three values using one of the following constructors and the values are used by SAF (RACF) to determine if the user has the necessary access. The following are the constructors for this class: 

    public SAFPermission(String securityClass,
                         String entityName,
                         Integer access)

    public SAFPermission(String securityClass,
                         String entityName)
 
    public SAFPermission(String entityName,
                         Integer access)

    public SAFPermission(String entityName)

The first constructor creates a new SAFPermission with the specified securityClass, entityName, and access.

The second one creates a new SAFPermission with the specified securityClass, entityName and an implied access of SAFPermission.__READ_RESOURCE.

The third constructor uses the specified entityName and access, as well as an implied securityClass of JAVA to create a new SAFPermission object.

The last one creates a new object of class SAFPermission with an implied securityClass of JAVA, a entityName as specified and an implied access of SAFPermission.__READ_RESOURCE.

The securityClass parameter is the security class to check with, the entityName parameter is the entity for which the check is to be done. These parameters can have any valid SAF (RACF) value.

The access parameter is the required access and must be one of the following:

    SAFPermission.__READ_RESOURCE

    SAFPermission.__UPDATE_RESOURCE

    SAFPermission.__CONTROL_RESOURCE

    SAFPermission.__ALTER_RESOURCE

A sample of using the previous can be found in the {$java.home}/demo/jaas or here: 

    java.lang.SecurityManager sm = System.getSecurityManager();
    sm.checkPermission( new SAFPermission("FACILITY",
                                          "BPX.SERVER",
                                          SAFPermission.__UPDATE_RESOURCE ));

The previous code creates a new SAFPermission and then uses the current SecurityManager to determine if the current subject has that permission. This will return an AccessControlException if the subject does not have the required access.

Policy Requirements for SAFPermission:

This class requires some entries in the java.policy file.

The first addition allows all code source to be able to ask checkPermission questions of a SAFPermission:

grant codeBase "file:/-" {
   permission com.ibm.security.auth.SAFPermission "*", "*";
};

The previous could be changed to limit the codeBases that have ability to use SAFPermission by changing "file:/-" to the needed codebase or directory.

The following permissions need to be added to each grant block as well:

permission java.lang.RuntimePermission "loadLibrary.SecurityServices";
permission java.io.FilePermission ":${java.home}/lib/ext/-", "read";
permission java.util.PropertyPermission "java.execsuffix", "read";

The previous are required for lower-level function calls that SAFPermission makes. A sample of a policy file that contains the previous can also be found in {$java.home}/demo/jaas.