To implement fine-grained administrative security, your code must identify the resource instance that the managed bean (MBean) represents and assign the user the required role for that instance of the resource. This topic discusses what to do to identify the resource and assign the required role. This topic also discusses how to make an MBean method run under a different user identity so that the method can access other resource instances. Lastly, this topic discusses how to check if an MBean method has access to a resource instance by using programmatic interfaces. This task assumes a basic familiarity with MBean programming. For information on MBean programming, see MBean Java application programming interface (API) documentation.
Every MBean method has a default MBean security policy. When the MBean method uses the default security policy, the resource instance that the MBean represents is assumed to be the server in which the MBean runs. If an MBean or MBean method represents a resource instance other than the server on which it runs, perform the following steps:
In most cases, identify the resource instance by identifying the key-value pair in the object name of the MBean that represents the resource instance. The resourceIndentifierKey attribute defines the key.
For example, you can use the EJBModule MBean to access an Enterprise JavaBeans (EJB) module within an application that runs inside the server. In this case, the object name of the EJBModule MBean contains a key-value pair. The key is Application. The value represents the resource instance that the EJBModule MBean tries to access. The user that invokes this MBean method is verified to make sure that access is granted to this instance of the application before allowing the MBean method to run. The following example shows how to describe the fine-grained administrative security for the EJBModule type of MBean in the MBean descriptor:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd"> <MBean type="EJBModule" j2eeType="EJBModule" version="5.0" platform="dynamicproxy" resourceIdentifierKey="Application" resourceType="Application" deployerMBean="true" description="Management interface for the EJBModule component.">
Identify the MBean method parameter name with a parameter value that represents the resource instance. Mark the corresponding parameter metadata in the MBean descriptor as the resource identifier. To mark a parameter as the resource identifier, add the resourceType attribute. The attribute specifies the type resource that the parameter value contains. When the resourceType attribute is present for any MBean method parameter, the parameter value determines the resource instance that the MBean method represents.
For example, one instance of the ApplicationManager MBean runs in each server. The same MBean can be used to start and stop all the applications in the server. The start and stop methods of this MBean each take the application name as a parameter. They use the parameter to determine the instance of the application that this MBean method tries to access. The following example shows how to describe the fine-grained administrative security for this type of MBean in the MBean descriptor:
<operation
description="Start Application"
impact="ACTION" name="startApplication" role="operation"
targetObjectType="objectReference" type="void" proxyInvokeType="spray">
<signature>
<parameter description="Application Name" resourceType="Application"
name="applicationName" type="java.lang.String"/>
</signature>
</operation>
Mark the MBean or MBean method as excluded from access checking in the MBean descriptor by using the excludeAccessCheck attribute. When an MBean is marked as excluded from access checking, all its methods are also excluded from access checking.
For example, the ConfigService MBean that runs in the deployment manager is used to configure all the resources within a cell. Exclude this MBean from access checking before invoking the MBean methods. Check that the ConfigService MBean is granted access to the configuration resource when the MBean attempts to access the resource. The following example shows how to describe the fine-grained administrative security for the ConfigServices type of MBean in the MBean descriptor:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
<MBean
version="5.0"
platform="proxy"
collaboratorClass="com.ibm.ws390.management.proxy.ConfigServiceManager"
description="Config Service component provides service of
configuration related tasks on top of configuration repository service."
type="ConfigService"
excludeAccessCheck="true"
configureMBean="true">
Some statements are split on multiple
lines for printing purposes.
The following example shows how to invoke
the MBean method logic to perform authorization checking programmatically:
// Get administration authorizer.
AdminAuthorizer aa = AdminAuthorizerFactory.getAdminAuthorizer();
// Set the role that is required for this operation.
String role = com.ibm.ws.security.util.Constants.CONFIG_ROLE;
// Set the resource name.
// cells/cellName is optional.
String resource = "/nodes/"+ nodeName + /servers/" + serverName;
// Check access
if ( aa != null && !aa.checkAccess(resource, role) )
// Disallow access.
else
// Allow access.
The required roles are automatically assigned, based on the type of MBean and the impact of the MBean method, as described in the topic on the default MBean security policy.
In some cases, after performing the initial access check, the MBean method might need to run under a different user identity so that it can access other resource instances. For example the syncNode operation in the CellSync MBean grants the user the operator role to the instance of the node being synchronized. The syncNode operation tries to access resources under the cell scope. The user might not have access to open files under the cell directory. The MBean must run as System after the initial access check so that the operation completes without any access denied problems.
Set the runAs attribute to System to specify delegation mode for an MBean or MBean method. When you set the runAs attribute for an MBean, the value applies to all MBean methods for that MBean. The following example shows how to describe fine-grained administrative security for the CellSync type of MBean in the MBean descriptor.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MBean SYSTEM "MbeanDescriptor.dtd">
<MBean type="CellSync"
version="5.0.1"
platform="common"
runAs="System"
description="Management interface for the configuration synchronization logic
performed at the central deployment manager for the cell.">
<operation
description="Initiate a synchronization request for a given node" impact="ACTION"
name="syncNode" role="operation" targetObjectType="objectReference" type="ja
va.lang.Boolean">
<signature>
<parameter resourceType="Node"
description="The name of the node"
name="nodeName" type="java.lang.String"/>
</signature>
</operation>