Authorizing access requests

Edit online

This section explains how access requests are handled by Verify Identity Access authorization Java classes.

The Verify Identity Access authorization Java classes are built around JAAS and the Java 2 security model. The Verify Identity Access API closely follows the Java 2 permission model.
Note: For more information on the Java 2 security model, see: http://www.oracle.com/technetwork/java/javase/tech/index-jsp-136007.html.

The Verify Identity Access authorization API Java classes provide a permission class named com.tivoli.pd.jazn.PDPermission . This class extends the abstract class com.ibm.IBMPermission, which extends the abstract class java.security.Permission. The PDPermission class establishes the SSL-protected socket communications protocol which is used to talk to Verify Identity Access.

Create an entry in the JAAS policy file to ensure that the JAAS security code calls the implies() method in the PDPermission class described here. You can specify the entry based on a particular codebase as required

Define your JAAS policy in its own file and specify the URL in the java.security file using the property auth.policy.url.X (where X is an integer). For example:

auth.policy.url.1=file:${java.home}/lib/security/jaas.policy

Alternatively, you can use the Java interpreter -D flag to specify the JAAS policy file. For example:

java -Dauth.policy.url.1=file:/opt/PolicyDirector/etc/jaas.policy

You can specify the JAAS policy directly in the java.policy file found in java_home/lib/security. 

grant signedBy “xxx” codeBase “file:/E:/Program Files/aaa/bbb/ccc”
principal com.tivoli.pd.jazn.PDPrincipal “*” {
permission com.tivoli.pd.jazn.PDPermission “ignoreme” "a";
};

The contents of the action string ignoreme are unimportant because the PDPermission class ignores them. This is because Verify Identity Access acts as the repository for security policy. The intent of this entry is to have the Java security code call the implies() method when a resource manager checks to see if a permission is held.

The PDPermission class implements constructors and supporting methods, including:
implies()
Checks whether Verify Identity Access grants the specified permissions.
equals()
Determines if two PDPermission objects are equal.
getActions()
Returns the canonical string representation of the actions.
hashCode()
Returns the hash code value for the object.
The implies() method flow consists of the following steps:
  1. Use the static getSubject() method to retrieve the current Subject → Subject that was created by the PDLoginModule class, and placed on the current thread of execution by the resource manager.
  2. If the Subject contains a Principal of type com.tivoli.pd.jazn.PDPrincipal, then the appropriate credentials are secured for the call to Verify Identity Access.
The following sample illustrates how a resource manager, such as a Web server or Enterprise JavaBeans container, places the Subject on the current thread of execution. 
Subject.doAs(whoami, new java.security.PrivilegedAction() {
public java.lang.Object run() {}
});

At this point the PDPermission class has all the information required to make the authorization call to Verify Identity Access.

The following code sample shows a typical authorization check that invokes Verify Identity Access through the PDPermission class implementation. The checkPermission() method returns quietly unless it fails, in which case it throws a java.lang.SecurityException. 
PDPermission perm = new PDPermission(“/MyResourceManager/private”,
“[simple]rT[newActionGroup1]Z”);

SecurityManager.checkPermission(perm);