wildcards in principal names
I need to be able to use wildcards in some principal names in the policy file.
I tried to solve it with the equal() method in my Principal class, but it does not work. Where is the principal names (values) in the policy file compared to the names of the principals of the same type in the subject?
I see two possible solutions, but I would prefere another solution. What do you think? These are my solutions:
1) Let my principal class implement com.sun.security.auth.PrincipalComparator in addition to java.security.Principal.
2) Some how solve it with the implies() method in the Permission classes. (How?)
Pleas help!
[657 byte] By [
riamloa] at [2007-10-1 17:29:53]
Maybe I didn't explain well enough what I want.
In my policy-file I want to be able to write:
grant Principal SomePrincipal 23* {
permission SomePermission "..", "..";
};
I some subject has a SomePrincipal with name "2379879", that is 23something, it will be granted this SomePermission.
The comparison is done inside the sun.security.provider.PolicyFile implementation (the default implementation of java.security.Policy).
PolicyFile calls Principal.getClass().getName() along with Principal.getName(), and then compares those values to the class name and principal name listed in the policy file. Note that these are simply String comparisons (they are not done using Principal.equals).
That means you are left with the following choices. You can implement PrincipalComparator, as you mentioned, or you can extend and replace the PolicyFile implementation.
Alternatively, there is one obscure feature in PolicyFile that is not well documented. It supports a minimal amount of wildcarding. Specifically:
grant Principal com.foo.Principal * {
};
grant Principal * * {
};
If the principal class is wildcarded, then the principal name must also be wildcarded (this is the second example above). Unfortunately this may not give you the level of wildcarding that you desire.
If the permissions you want to grant are all custom permissions (you have control over the implementation), then it may be possible to design them in a way to achieve what you want. Look at javax.security.auth.PrivateCredentialPermission. That permission encapsulates principals inside of its target name. You would have to design your custom permission class to have a similar syntax, and then the implies method could perform the correct logic for principal name wildcarding.
In this particular case, since the policy file grant statement does not contain principal information (see the example in the PrivateCredentialPermission javadocs), the String comparison that I described above does not occur. Instead, Permission.implies is called, and you have control over that behavior.
Hope that helps.
