[GLASSFISH-20037] Investigate the Restricted Permissions vs Allowed Permissions (or Not restricted policy) for Application Packaged Permission feature Created: 25/Mar/13  Updated: 28/Mar/13

Status: Open
Project: glassfish
Component/s: security
Affects Version/s: 4.0
Fix Version/s: future release

Type: Bug Priority: Major
Reporter: spei Assignee: spei
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In the current commuted code (revision 60776), the domain restriction is through the restrict.server.policy file, this has following issues:

1) the AllPermission in restriction list means that the app declared permission can not include AllPermission, and does not mean the application can not declare other permissions. This is an exception compared to other entries in the restriction file, i.e., other entries are checked against the declared permissions by "imply" call.

2) By restriction list, the admin knows what he wants to restrict, but still has no full picture of what the application may get. An configured allowed list can limit the applications to have permissions exist on the allowed list, but the list might be long since an exhaustive list is needed. A metafile policy approach for the allowed list (or not-restricted policy) may be able to define restriction by following some syntax. A declared permission can be granted only if it is implied by a permission on the not restricted list. When the Not restricted list/collection is empty, no declared permission can be declared; including AllPermission.

We need to investigate this further from the points of security completeness, and also useability point of view.






GlassFish services and components to conform with configuration modularity (GLASSFISH-19408)

[GLASSFISH-19517] Security services module should conform with configuration modularity Created: 10/Jan/13  Updated: 21/Sep/15

Status: Open
Project: glassfish
Component/s: admin
Affects Version/s: None
Fix Version/s: 4.1.1

Type: Sub-task Priority: Major
Reporter: Masoud Kalali Assignee: spei
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Comments   
Comment by Tim Quinn [ 10/Jan/13 ]

I'm reassigning this to Shaun who is closer to the configuration aspects of the security/services module.





Generated at Sun Dec 04 13:50:55 UTC 2016 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.