MQP:Mapping Back From Permissions

From JimboWiki
Jump to: navigation, search
MQP Navigation
MQP
MQP-Design
MQP-Prototypes
MQP-Research
  Main
  Project Overview

The Goal

One goal of the Resource Model is to be able to easily translate between the model and security implementations. In the context of Java, this primarily involves being able to translate between Permission type rules and actions. This involves a few steps, which include determining which Permission rules are required by each type of action, and how the arguments in Permission rules relate to the parameters in the actions.

Getting Action Parameters From Permission Rules

To determine the action parameters found in a given permission rule, the process is slightly more complicated than the process of substituting the action parameters into the correct places in the rule parameter. For example, the template for a SocketPermission rule application may look like this (with action parameter names found between matching {}):

completehost = "{hostname}:[{portrange}]" action = "connect"

And a given instance of a SocketPermission may look like this:

completehost = "*.example.org:[8000-8080]" action = "connect"

In this example, the case is fairly straightforward. Regular expressions can be used on the template for completehost to find which parts are variables and which parts are not. Then these in between strings can be used to find which parts of the rule parameter refer to which variables. The result of doing a backwards mapping would result in a FilledActionDefinition referring to the ActionDefinition for "SocketConnect", with ActionParameters hostname="*.example.org" portrange="8000-8080".

Sets of Permission Rules Defining One Action

In other cases, a given action, for example the "GetAndAlterClassLoader" action, requires several Permission rules to be represented in the Java security framework. In this case, when an initial set of Permission rules is given, it needs to be found if any subset of those filled in rule definitions match all the rule applications for each given action. The actions that have complete matches are fully represented by the permission rules, and the ones that have incomplete matches are suggested by the permission rules.

Retrieved from "http://jimbodude.net/w/index.php?title=MQP:Mapping_Back_From_Permissions&oldid=1997"