Sun Java System Access Manager 7 2005Q4 Developer's Guide

JAAS Authorization in Access Manager

Access Manager provides a custom implementation of the JAAS javax.security.auth.Policy . The customized implementation leverages the J2SE access controller and security manager to provide policy evaluation for all Access Manager related permissions. The customized implementation also falls back on the J2SE default Policy implementation com.sun.security.auth.PolicyFile for access to system level resources. Access Manager policy does not control access to com.sun.security.auth.PolicyFile.

Access Manager uses both JAAS and J2SE’s file-based policy for all the resources for which Access Manager does not provide access control. For Access Manager resources such as URLs and so forth, new policy and permissions are defined. This model leverages the best of JAAS and the best of J2SE in one solution. It uses the JAAS framework for its default access control where needed, and then enhances the framework to incorporate the Access Manager policy evaluation. In this way, you can use the Access Manager policy implementation to make policy evaluations pertaining to Access Manager policies, but revert back to the default method of controlling access to resources not under Access Manager control.

Custom APIs

Access Manager provides the following custom APIs:.

Package com.sun.identity.policy.jaas

This package includes classes for performing policy evaluation against Access Manager using JAAS (Java Authentication and Authorization) framework.
ISPermission

This class provides the support for JAAS Authorization service. It is a new JAAS Permission which extends the Permission class and is defined to evaluate permission against the Access Manager policy framework.
ISPolicy

This is an implementation of abstract class javax.security.auth.Policy for representing the system security policy for a Java application environment. It performs policy evaluation against the Access manager policy service instead of against the default file-based PolicyFile.

For a comprehensive listing of related APIs, see the Javadoc in the following directory: AccessManager-base/SUNWam/docs.

User Interface

The user interface for entering permissions and policy is the Access Manager administration console which works with the policy administration API. Once the policy is defined, the evaluation is done using the J2SE architecture and enhanced policy implementation.

ISPermission covers the case when additional policy services are defined and imported, provided they only have boolean action values. In fact boolean evaluation is all that can be done using JAAS since JAAS permissions have a boolean result.