The OPSS Policy Model 20-3 isUserInRole for servlets and JSPs or the method isCallerInRole for EJBs, both available from standard Java APIs. Although these methods still depend on role membership to determine authorization, they give finer control over authorization decisions since the controlling access is not limited at the resource level EJB method or URL.

20.2.2.3 Java EE Code Example

The following example illustrates a servlet calling the method isUserInRole. It is assumed that the EAR file packing the servlet includes the configuration files web.xml and weblogic-application.xml, and that these files include the following configuration fragments: web.xml -- security roles -- security-role role-namesr_developerrole-name security-role weblogic-application.xml The following snippet shows the mapping between the user weblogic and the security role sr_developer: wls:security-role-assignment wls:role-namesr_developerwls:role-name wls:principal-nameweblogicwls:principal-name wls:security-role-assignment Code Example Invoking isUserInRole import javax.servlet.ServletConfig; import javax.servlet.ServletException; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.util.Date; public class PolicyServlet extends HttpServlet { public PolicyServlet { super; } public void initServletConfig config throws ServletException { super.initconfig; } public void doGetHttpServletRequest request, HttpServletResponse response throws ServletException, IOException { final ServletOutputStream out = response.getOutputStream; response.setContentTypetexthtml; out.printlnHTMLBODY bgcolor=\FFFFFF\; out.printlnTime stamp: + new Date.toString; out.println brrequest.getRemoteUser = + request.getRemoteUser + br; 20-4 Oracle Fusion Middleware Application Security Guide out.printlnrequest.isUserInRolesr_developer = + request.isUserInRolesr_developer + br; out.printlnrequest.getUserPrincipal = + request.getUserPrincipal + br; out.printlnBODY; out.printlnHTML; } }

20.2.3 The JAAS Authorization Model

The JAAS authorization introduces permissions but can still use the notion of roles. An authorization policy binds permissions with a Subject role, group, or user and, optionally, with source code. Granting to a role is achieved through calls to addPrincipalsToAppRole. Permissions are evaluated by calls to the SecurityManager or the AccessController, and it allows fine-grained control to resources. In this model, an authorization policy specifies the following information: ■ Application roles and enterprise groups. ■ Permissions granted to users, groups, and code sources. For users and groups, they determine what a user or the member of a group is allowed to access. For code sources, they determine what actions the code is allowed to perform. When programming with this model, sensitive lines of code are preceded with calls to check whether the current user or role is granted the appropriate permissions to access the code. If the user has the appropriate permissions, the code is run. Otherwise, the code throws and exception. For details about JAAS standard permissions, see http:java.sun.comJava SE6docstechnotesguidessecuritypermissions.html .

20.3 The JAASOPSS Authorization Model

JAASOPSS authorization is based on controlling the operations that a class can perform when it is loaded and run in the environment. This section is divided into the following sections: ■ The Resource Catalog ■ Managing Policies ■ Checking Policies ■ The Class ResourcePermission

20.3.1 The Resource Catalog

OPSS supports the specification and runtime support of the resource catalog in file-, LDAP-, and DB-based policy stores. Using the resource catalog provides the following benefits: ■ Describes policies and secured artifacts in human-readable terms. ■ Allows defining and modifying policies independently of and without knowledge of the application source code. ■ Allows browsing and searching secured artifacts.