You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@harmony.apache.org by Tim Ellison <t....@gmail.com> on 2008/03/02 10:53:11 UTC
Re: [classlib][security] UnresolvedPrincipal/Policy file principal_name
question
Daniel John Debrunner wrote:
> I have a need for a application level Principal implementation that
> treats user names as case-insensitive, e.g.
>
> DatabasePrincipal("fred") and DatabasePrincipal("FRED")
>
> are equal and both would return FRED for getName().
>
> However it seems default Policy implementations (for RI & Harmony) that
> read the policy file don't allow this. So while this grant does work
>
> grant principal DatabasePrincipal "FRED"
>
> this does not
>
> grant principal DatabasePrincipal "fred"
>
> even though by the rules of the DatabasePrincipal they are equal.
>
> For Harmony I see it is due to UnresolvedPrincipal for two reasons:
>
> 1) (possibly) UnresolvedPrincipal is never re-resolved into
> DatabasePrincipal like UnresolvedPermission is defined to act.
> (on IBM's 1.5 vm I see instances of DatabasePrincipal being created
> that correspond to entries in the policy file, so I'm assuming
> re-resolving is taking place)
>
> 2) UnresolvedPrincipal.implies() works just uses the class name
> (DatabasePrincipal) and getName() thus ignoring any semantics the
> application's Principal class is using for name.
>
> Is this the defined behaviour by the Java specifications, that the
> principal_name in the policy_file must match exactly the name returned
> by Principal.getName()? I can't see any justification for it from the
> javadoc for the various classes.
>
> Again to note Harmony matches the RI here, though it seems to get to the
> same result by a different path. It seems as though on the RI and IBM's
> vms that a map is set up from principal_name to Principal (but I'm
> guessing here).
Dan,
I'm not quite sure what you are asking here. You say the behavior of
Harmony and other Java implementations is the same, so are you just
asking for a specification justification for it?
It may be that the spec is not explicit in this case. There are lots of
places where the desired behavior is only determined by 'common sense'
or running a program on the RI to observe the behavior.
Are you asking for a change?
Regards,
Tim
Re: [classlib][security] UnresolvedPrincipal/Policy file principal_name
question
Posted by Daniel John Debrunner <dj...@apache.org>.
Tim Ellison wrote:
> Daniel John Debrunner wrote:
>> I have a need for a application level Principal implementation that
>> treats user names as case-insensitive, e.g.
>>
>> DatabasePrincipal("fred") and DatabasePrincipal("FRED")
>>
>> are equal and both would return FRED for getName().
>>
>> However it seems default Policy implementations (for RI & Harmony)
>> that read the policy file don't allow this. So while this grant does work
>>
>> grant principal DatabasePrincipal "FRED"
>>
>> this does not
>>
>> grant principal DatabasePrincipal "fred"
>>
>> even though by the rules of the DatabasePrincipal they are equal.
>>
>> For Harmony I see it is due to UnresolvedPrincipal for two reasons:
>>
>> 1) (possibly) UnresolvedPrincipal is never re-resolved into
>> DatabasePrincipal like UnresolvedPermission is defined to act.
>> (on IBM's 1.5 vm I see instances of DatabasePrincipal being created
>> that correspond to entries in the policy file, so I'm assuming
>> re-resolving is taking place)
>>
>> 2) UnresolvedPrincipal.implies() works just uses the class name
>> (DatabasePrincipal) and getName() thus ignoring any semantics the
>> application's Principal class is using for name.
>>
>> Is this the defined behaviour by the Java specifications, that the
>> principal_name in the policy_file must match exactly the name returned
>> by Principal.getName()? I can't see any justification for it from the
>> javadoc for the various classes.
>>
>> Again to note Harmony matches the RI here, though it seems to get to
>> the same result by a different path. It seems as though on the RI and
>> IBM's vms that a map is set up from principal_name to Principal (but
>> I'm guessing here).
>
> Dan,
>
> I'm not quite sure what you are asking here. You say the behavior of
> Harmony and other Java implementations is the same, so are you just
> asking for a specification justification for it?
I guess I'm trying to understand the current behaviour and see if it is
justified by the spec. Typically in Java code equality is pushed on the
the object (the implementation of Principal in this case) equals method,
so it was a surprise when equality for Prinicpals is instead based upon
its class name and getName() value.
> It may be that the spec is not explicit in this case. There are lots of
> places where the desired behavior is only determined by 'common sense'
> or running a program on the RI to observe the behavior.
>
> Are you asking for a change?
I would guess a change in behaviour is very unlikely, so maybe a javadoc
comment in Principal indicating how equality is handled by the Policy
mechanisms.
Thanks for the reply,
Dan.