To implement fine-grained administrative security, your code must
identify the resource instance that the managed bean (MBean) represents and
assign the user the required role for that instance of the resource. This
topic discusses what to do to identify the resource and assign the required
role. This topic also discusses how to make an MBean method run under a different
user identity so that the method can access other resource instances. Lastly,
this topic discusses how to check if an MBean method has access to a resource
instance by using programmatic interfaces.
About this task
Perform the following task to ensure that an MBean or MBean method
is protected. Identify the resource instance that the MBean or MBean method
represents and assign required roles to access the MBean. Perform this task
during the development of the MBean.
Procedure
- Determine the resource instance that the MBean represents and the
required roles to invoke the MBean methods.
Every MBean method
has a default MBean security policy. When the MBean method uses the default
security policy, the resource instance that the MBean represents is assumed
to be the server in which the MBean runs. If an MBean or MBean method represents
a resource instance other than the server on which it runs, perform the following
steps:
- Identify the resource instance that the MBean represents.
- If an MBean, such as the Server MBean, accesses and modifies the server
in which the MBean runs, do not specify a security policy to verify that the
user invoking the MBean is granted access to the server because the default
security policy is in force. In most cases, you use an MBean to access and
modify the server.
- If an MBean that runs inside a server can access and modify resources
that do not directly belong to the server, check if the user invoking the
MBean is granted access to the instance of the resource before allowing the
MBean method to run.
In most cases, identify the resource instance by identifying
the key-value pair in the object name of the MBean that represents the resource
instance. The resourceIndentifierKey attribute defines the key.
For
example, you can use the EJBModule MBean to access an Enterprise JavaBeans
(EJB) module within an application that runs inside the server. In this case,
the object name of the EJBModule MBean contains a key-value pair. The key
is Application. The value represents the resource instance
that the EJBModule MBean tries to access. The user that invokes this MBean
method is verified to make sure that access is granted to this instance of
the application before allowing the MBean method to run.
The following
example shows how to describe the fine-grained administrative security for
the EJBModule type of MBean in the MBean descriptor:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
<MBean type="EJBModule" j2eeType="EJBModule"
version="5.0"
platform="dynamicproxy"
resourceIdentifierKey="Application"
resourceType="Application"
deployerMBean="true"
description="Management interface for the EJBModule component.">
- If you can determine the resource that the MBean accesses before the MBean
is invoked, but you cannot use the MBean object name to determine the resource
instance that the MBean accesses, use parameters that are passed to the MBean
instead.
Identify the MBean method parameter name with a parameter value
that represents the resource instance. Mark the corresponding parameter metadata
in the MBean descriptor as the resource identifier. To mark a parameter as
the resource identifier, add the resourceType attribute. The attribute specifies
the type resource that the parameter value contains. When the resourceType
attribute is present for any MBean method parameter, the parameter value determines
the resource instance that the MBean method represents.
For example,
one instance of the ApplicationManager MBean runs in each server. The same
MBean can be used to start and stop all the applications in the server. The
start and stop methods of this MBean each take the application name as a parameter.
They use the parameter to determine the instance of the application that this
MBean method tries to access.
The following example shows how to describe
the fine-grained administrative security for this type of MBean in the MBean
descriptor:
<operation
description="Start Application"
impact="ACTION" name="startApplication" role="operation"
targetObjectType="objectReference" type="void" proxyInvokeType="spray">
<signature>
<parameter description="Application Name" resourceType="Application"
name="applicationName" type="java.lang.String"/>
</signature>
</operation>
- If the resource that an MBean accesses cannot be determined until the
MBean is invoked, check if the user invoking the MBean is granted access to
the instance of the resource by using application programming interfaces (APIs).
Mark
the MBean or MBean method as excluded from access checking in the MBean descriptor
by using the excludeAccessCheck attribute. When an MBean is marked as excluded
from access checking, all its methods are also excluded from access checking.
For
example, the ConfigService MBean that runs in the deployment manager is used
to configure all the resources within a cell. Exclude this MBean from access
checking before invoking the MBean methods. Check that the ConfigService MBean
is granted access to the configuration resource when the MBean attempts to
access the resource.
The following example shows how to describe the
fine-grained administrative security for the ConfigServices type of MBean
in the MBean descriptor:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
<MBean
version="5.0"
platform="proxy"
collaboratorClass="com.ibm.ws390.management.proxy.ConfigServiceManager"
description="Config Service component provides service of
configuration related tasks on top of configuration repository service."
type="ConfigService"
excludeAccessCheck="true"
configureMBean="true">
Some statements are split on multiple
lines for printing purposes.
The following example shows how to invoke
the MBean method logic to perform authorization checking programmatically:
// Get administration authorizer.
AdminAuthorizer aa = AdminAuthorizerFactory.getAdminAuthorizer();
// Set the role that is required for this operation.
String role = com.ibm.ws.security.util.Constants.CONFIG_ROLE;
// Set the resource name.
// cells/cellName is optional.
String resource = "/nodes/"+ nodeName + /servers/" + serverName;
// Check access
if ( aa != null && !aa.checkAccess(resource, role) )
// Disallow access.
else
// Allow access.
- Assign required roles for the MBean and MBean methods.
The required roles are automatically assigned, based on the type
of MBean and the impact of the MBean method, as described in the topic on
the default MBean security policy.
- Specify delegation mode.
In some cases, after performing
the initial access check, the MBean method might need to run under a different
user identity so that it can access other resource instances. For example
the syncNode operation in the CellSync MBean grants the user the operator
role to the instance of the node being synchronized. The syncNode operation
tries to access resources under the cell scope. The user might not have access
to open files under the cell directory. The MBean must run as System after
the initial access check so that the operation completes without any access
denied problems.
Set the runAs attribute to System to
specify delegation mode for an MBean or MBean method. When you set the runAs
attribute for an MBean, the value applies to all MBean methods for that MBean.
The
following example shows how to describe fine-grained administrative security
for the CellSync type of MBean in the MBean descriptor.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
<MBean type="CellSync"
version="5.0.1"
platform="common"
runAs="System"
description="Management interface for the configuration synchronization logic
performed at the central deployment manager for the cell.">
<operation
description="Initiate a synchronization request for a given node" impact="ACTION"
name="syncNode" role="operation" targetObjectType="objectReference" type="ja
va.lang.Boolean">
<signature>
<parameter resourceType="Node"
description="The name of the node"
name="nodeName" type="java.lang.String"/>
</signature>
</operation>
Results
You have determined the type of resource a given MBean method is accessing
and performed the necessary access check so that WebSphere Application Server
can allow access to the resource.