4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
4th International Conference on Principles and Practices ... - MADOC
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Class<br />
JDOHelper<br />
creates<br />
0..*<br />
Interface<br />
PersistenceManagerFactory<br />
manages<br />
0..*<br />
Interface<br />
PersistenceManager<br />
Class<br />
JDOSecureHelper<br />
creates<br />
0..*<br />
Class<br />
PMFProxy<br />
Interface<br />
Interface<br />
Permissi<strong>on</strong><br />
Permissi<strong>on</strong><br />
forwards<br />
1<br />
Class<br />
PMFInvocati<strong>on</strong><br />
H<strong>and</strong>ler<br />
1<br />
checks<br />
manages<br />
Class<br />
JDOSecurity<br />
Acti<strong>on</strong><br />
1<br />
0..*<br />
run<br />
Class<br />
PMProxy<br />
forwards<br />
1<br />
Class<br />
PMInvocati<strong>on</strong><br />
H<strong>and</strong>ler<br />
has<br />
1<br />
Class<br />
JDOUser<br />
Class<br />
JDOQuery<br />
Permissi<strong>on</strong><br />
Class<br />
JDOMakePersistent<br />
Permissi<strong>on</strong><br />
Class<br />
JDODeletePersistence<br />
Permissi<strong>on</strong><br />
Figure 6: Using the Dynamic Proxy Approach to Implement User Authorizati<strong>on</strong><br />
3.4 The Authorizati<strong>on</strong> Process<br />
JDOSecure enables the set-up of user specific permissi<strong>on</strong>s<br />
in order to allow or disallow the invocati<strong>on</strong> of<br />
PersistenceManager methods. As already menti<strong>on</strong>ed, a<br />
user receives a proxy of a PersistenceManager instance<br />
(PMProxy) by invoking the getPersistenceManager()<br />
method. Thus, JDOSecure is able to use the assigned<br />
PMInvocati<strong>on</strong>H<strong>and</strong>ler to validate, if an authenticated<br />
JDOUser has the permissi<strong>on</strong> to make a specific method invocati<strong>on</strong>.<br />
The permissi<strong>on</strong>s are located in a separate policy-file<br />
<strong>and</strong> can be individually defined for any user. Currently,<br />
JDOSecure distinguishes between different permissi<strong>on</strong>s<br />
(Table 1) in order to restrict the access to the different<br />
PersistenceManager methods. JDOSecure also enables<br />
the limitati<strong>on</strong> of user permissi<strong>on</strong>s to a certain package or a<br />
specific class.<br />
For instance, the permissi<strong>on</strong> to invoke the<br />
makePersistent() method could be defined for a package<br />
org.test.sample <strong>and</strong> a single user ”sampleuser” as<br />
following:<br />
grant Principal JDOUser "sampleuser"{<br />
permissi<strong>on</strong> JDOMakePersistentPermissi<strong>on</strong><br />
"org.test.sample.*";<br />
}<br />
In order to validate if a user has the permissi<strong>on</strong><br />
to invoke a specific PersistenceManager method, a<br />
JDOSecurityActi<strong>on</strong> instance will be c<strong>on</strong>structed <strong>and</strong><br />
passed to the static doAs(subject, acti<strong>on</strong>) method of<br />
the Subject class. C<strong>on</strong>sequently, the validati<strong>on</strong> of a<br />
user permissi<strong>on</strong> is delegated to the AccessC<strong>on</strong>troller<br />
as part of the Java 2 Security Architecture. If a user<br />
has the appropriate permissi<strong>on</strong> to invoke a specific<br />
PersistenceManager method, the method call is forwarded<br />
to the original PersistenceManager instance. If<br />
not, a Java SecurityExcepti<strong>on</strong> is thrown <strong>and</strong> the access to<br />
the JDO resource is rejected.<br />
Even this approach allows <strong>on</strong>e to restrict the creati<strong>on</strong>,<br />
query <strong>and</strong> deleti<strong>on</strong> of PersistentCapable instances, it is<br />
not suitable for the JDO update process. This problem is<br />
addressed in the next secti<strong>on</strong>.<br />
3.5 JDOSecure <strong>and</strong> the Update of Object Attributes<br />
JDO introduces the c<strong>on</strong>cept of transparent persistence<br />
<strong>and</strong> c<strong>on</strong>sequently JDO doesn’t provide any additi<strong>on</strong>al methods<br />
to update object attributes or flushing instances to the<br />
data store. The security mechanism as described above, to<br />
verify user permissi<strong>on</strong>s when invoking methods of the JDO<br />
API, does not work in case of JDO updates.<br />
As already menti<strong>on</strong>ed, the JDO enhancer modifies regular<br />
Java classes in order to implement the PersistentCapable<br />
interface. Additi<strong>on</strong>ally, all setter methods are modified, that<br />
they do not change attributes directly. Instead, by invoking<br />
a setter method, an associated StateManager instance<br />
will be notified. This StateManager is resp<strong>on</strong>sible to update<br />
the attributes in the corresp<strong>on</strong>ding PersistentCapable instance<br />
as well as to propagate these updates to the database.<br />
The idea in this c<strong>on</strong>text is to replace the StateManager<br />
by another proxy <strong>and</strong> to validate the user permissi<strong>on</strong>s<br />
in the corresp<strong>on</strong>ding Invocati<strong>on</strong>H<strong>and</strong>ler instance. As<br />
defined in the JDO specificati<strong>on</strong>, a StateManager instance<br />
will be created by the JDO implementati<strong>on</strong><br />
with the invocati<strong>on</strong> of the PersistenceManager methods<br />
makePersistent(...), makePersistentAll(...),<br />
getExtent(...), getObjectById(...) as well as the<br />
execute(...) method of the Query instance. With<br />
the use of JDOSecure, the user does not interact<br />
with the PersistenceManager directly, but with the<br />
PMInvocati<strong>on</strong>H<strong>and</strong>ler instance. Before JDOSecure returns<br />
a PersistentCapable instance to the user, replacing the<br />
corresp<strong>on</strong>ding StateManager by a proxy becomes possible.<br />
In order to implement this approach in JDOSecure,<br />
the PMInvocati<strong>on</strong>H<strong>and</strong>ler accesses the private<br />
jdoStateManager field by using the java.lang.reflecti<strong>on</strong><br />
API to c<strong>on</strong>struct a dynamic proxy for the StateManager.<br />
In a sec<strong>on</strong>d step, the PMInvocati<strong>on</strong>H<strong>and</strong>ler replaces the<br />
reference to the StateManager in the PersistentCapable<br />
instance with the proxy. The technical details like security<br />
issues when accessing private fields by using the<br />
java.lang.reflecti<strong>on</strong> API <strong>and</strong> other complicati<strong>on</strong>s<br />
(e.g. the jdoReplaceStateManager(...) method of a<br />
StateManager) have been disregarded in order to improve<br />
89