java.security.acl.Acl getPermissions() method

Chris.Cuilla@Level3.com
Thu, 10 Jun 1999 13:23:06 -0600

From: Chris.Cuilla@Level3.com
To: java-security@java.sun.com
Subject: java.security.acl.Acl getPermissions() method
Date: Thu, 10 Jun 1999 13:23:06 -0600

I am in the process of creating an implementation of the
java.security.acl.* "specification".

In particular, I am working on the Acl.getPermissions(Principal) method.

Reading the specification for the "isMember()" method of the
java.security.acl.Group interface at:

http://java.sun.com/products/jdk/1.1/docs/api/java.security.acl.Group.html
<http://java.sun.com/products/jdk/1.1/docs/api/java.security.acl.Group.html#
isMember(java.security.Principal)>

It is clear that Groups (which are a sub-type of Principal) can have
Groups as members. Which, of course means that one could construct a
hierarchical Group structure if required. Which makes sense.

However, reading both the specification for the java.security.acl.Acl
interface (specifically the "getPermissions(Principal)" method) at:

http://java.sun.com/products/jdk/1.1/docs/api/java.security.acl.Acl.html
<http://java.sun.com/products/jdk/1.1/docs/api/java.security.acl.Acl.html#_t
op>

As well as the "Access Control Abstractions" document at:

http://www.javasoft.com/products/jdk/1.1/docs/guide/security/Acl.html
<http://www.javasoft.com/products/jdk/1.1/docs/guide/security/Acl.html>

Under the "Calculation of granted permissions"...

The description of how permissions are calculated gets a BIT vague. It
says "Individual permissions (permissions granted or denied to a
specific principal) always override the Group permissions.
Specifically, individual negative permissions (specific denial of
permissions) override the group's positive permissions. And individual
positive permissions override the group's negative permissions."

The question is should a child group's (a Group that is a member of
another Group) permissions have the same relationship to the parent
group as an individual Principal's permissions have to the Groups that
it is a member of?

Thanks,

Chris Cuilla
Architecture, Data & Technology
Level 3 Communications, L.L.C.

7581 West 103rd Avenue
Westminster, CO 80021

303.635.6709 (voice)
chris.cuilla@level3.com <mailto:chris.cuilla@level3.com> (email)

"Can we speak without the sounds of a world gone quite insane?"