JAAS authorization
I am developing a JAAS module and have some questions about how authorization is done.
1)
If I use the default security manager (run the code with -Djava.security.manager), what will be checked automatically? I mean without calling any of the SecurityManager's check...() methods? Is it only when you make your own permissions you have to write something like this:
SecurityManager sm = System.getSecurityManager()
if(sm!=0){
sm.checkPermission(new MyPermission(name));
}
When you call
Subject.doAs(subj,new SomeAction());
Do you have to call the SecurityManager to check the actions you do in the SomeAction()'s run()-method? Or how does this work?
I am very confused, pleas help me. I don't see how I can make this module at independet of the application that will use it as possible.
2)
How can I make support for hierarchical roles in JAAS? I want for instance subjects with RolePrincipal "emploee" to get all the rights subjects with RolePrincipal "user" have. I know it is possible to write a large policy file or to give Subjects multiple RolePrincipals, but is there any other way?
3)
I want to be able to use wild cards in principal names in my policy file, ex:
grant SomePrincipal"hei*"{...};
I want this to mach all names that starts with "hei". How can I do that? In the equals(Object o) method in the class SomePrincipal?
