Group maintenance after ACL permissions have been set
Gary J. Braswell (rapidobj@mindspring.com)
Mon, 10 May 1999 11:39:21 -0400
From: "Gary J. Braswell" <rapidobj@mindspring.com>
To: <java-security@java.sun.com>
Subject: Group maintenance after ACL permissions have been set
Date: Mon, 10 May 1999 11:39:21 -0400
------=_NextPart_000_0012_01BE9AD9.BECF9B10
Content-Type: multipart/alternative; boundary="----=_NextPart_001_0013_01BE9AD9.BECF9B10"
X-Sun-Content-Length: 4705
------=_NextPart_001_0013_01BE9AD9.BECF9B10
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I made a simple modification to the AclEx.java file that was posted =
under the URL =
http://www.javasoft.com/products/jdk1.1/docs/guide/security/Acl.html, =
and it presented a problem for me.
I moved the addition of user2 until after the group had been added to =
the access control list. The logic here is that a Security =
Administrator is going to want to be able add users to an established =
group that already has a certain set of permissions (e.g., relationships =
with Acls), and have that user "inherit" (not from the OO standpoint) =
the permissions that already exists for the group.
When I moved the "g.addMember(p2);" line until after the group had been =
added to the Acl, the p2 principal did not receive any of the group =
permissions.
I'm not sure why this wouldn't work. =20
The Access Control List acl should have a valid reference to the =
modified GroupImpl g (e.g., with the newly added p2). The only reason =
that it would fail is if the Acl calculates permissions only upon its =
instantiation or in a modifier method.=20
Wouldn't it need to go out to its group constituents and refresh the =
member list when a checkPermissions() call is made?
I've attached the source code for your review.
Thanks in advance for any help with this. If you know of another way to =
accomplish what I'm trying to do, please advise.
Regards,
Gary J. Braswell
Sr. Software Engineer, Syndesa Corporation
------=_NextPart_001_0013_01BE9AD9.BECF9B10
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
I moved the addition of user2 until =
after the=20
group had been added to the access control list. The logic here is =
that a=20
Security Administrator is going to want to be able add users to an =
established=20
group that already has a certain set of permissions (e.g., relationships =
with=20
Acls), and have that user "inherit" (not from the OO =
standpoint) the=20
permissions that already exists for the group.
When I moved the =
"g.addMember(p2);"=20
line until after the group had been added to the Acl, the p2 principal =
did not=20
receive any of the group permissions.
I'm not sure why this wouldn't =
work. =20
The Access Control List acl should =
have a valid=20
reference to the modified GroupImpl g (e.g., with the newly added =
p2). The=20
only reason that it would fail is if the Acl calculates permissions only =
upon=20
its instantiation or in a modifier method.
Wouldn't it need to go out to its =
group=20
constituents and refresh the member list when a checkPermissions() call =
is=20
made?
I've attached the source code for =
your=20
review.
Thanks in advance for any help with =
this. =20
If you know of another way to accomplish what I'm trying to do, please=20
advise.
Regards,
Gary J. Braswell
Sr. Software Engineer, Syndesa=20
Corporation
------=_NextPart_001_0013_01BE9AD9.BECF9B10--
------=_NextPart_000_0012_01BE9AD9.BECF9B10
Content-Type: application/octet-stream; name="AclEx.java"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="AclEx.java"
X-Sun-Content-Length: 3197
/* Note: This sample program is meant just as an example
* of the types of things that can be done with an
* implementation of the java.security.acl interfaces.=20
* This example uses the implementation supplied by the=20
* sun.security.acl package. Please note that sun.* classes=20
* are unsupported and subject to change.
*/
package CCSecurity;
import java.security.Principal;
import java.security.acl.*;
import sun.security.acl.*;
import java.util.Enumeration;
public class AclEx {
public static void main(String argv[]) =20
throws Exception
{
Principal p1 =3D new PrincipalImpl("user1");
Principal p2 =3D new PrincipalImpl("user2");
Principal owner =3D new PrincipalImpl("owner");
=20
Permission read =3D new PermissionImpl("READ");
Permission write =3D new PermissionImpl("WRITE");
=20
System.out.println("Creating a new group with two members: user1 and =
user2");
Group g =3D new GroupImpl("group1");
g.addMember(p1);
// g.addMember(p2);
=20
//=20
// create a new acl with the name "exampleAcl"=20
//=20
System.out.println("Creating a new Acl named 'exampleAcl'");
Acl acl =3D new AclImpl(owner, "exampleAcl");=20
=20
//=20
// Allow group all permissions=20
//=20
System.out.println("Creating a new Acl Entry in exampleAcl for the =
group, ");
System.out.println(" with read & write permissions");
AclEntry entry1 =3D new AclEntryImpl(g);=20
entry1.addPermission(read);=20
entry1.addPermission(write);=20
acl.addEntry(owner, entry1);=20
=20
//=20
// Take away WRITE permissions for =20
// user1. All others in groups still have=20
// WRITE privileges.=20
//=20
System.out.println("Creating a new Acl Entry in exampleAcl for =
user1");
System.out.println(" without write permission");
AclEntry entry2 =3D new AclEntryImpl(p1);=20
entry2.addPermission(write);=20
entry2.setNegativePermissions();=20
acl.addEntry(owner, entry2); =20
=20
//=20
// This enumeration is an enumeration of =20
// Permission interfaces. It should return=20
// only "READ" permission.=20
Enumeration e1 =3D acl.getPermissions(p1);=20
System.out.println("Permissions for user1 are:");
while (e1.hasMoreElements()) {
System.out.println(" " + e1.nextElement());
};
=20
//=20
// This enumeration should have "READ" and"WRITE" =20
// permissions.=20
Enumeration e2 =3D acl.getPermissions(p2);=20
System.out.println("Permissions for user2 are:");
while (e2.hasMoreElements()) {
System.out.println(" " + e2.nextElement());
};
// This should return false.=20
boolean b1 =3D acl.checkPermission(p1, write);=20
System.out.println("user1 has write permission: " + b1);
=20
// This should all return true;=20
boolean b2 =3D acl.checkPermission(p1, read);=20
boolean b3 =3D acl.checkPermission(p2, read);=20
boolean b4 =3D acl.checkPermission(p2, write);=20
System.out.println("user1 has read permission: " + b2);
System.out.println("user2 has read permission: " + b3);
System.out.println("user2 has write permission: " + b4);
}
}
------=_NextPart_000_0012_01BE9AD9.BECF9B10--