Gabriel: New open source security framework

Discussions

News: Gabriel: New open source security framework

  1. Gabriel is a security framework for Java. By using access control lists and permissions, Gabriel enables components to check access to actions. On top of that Gabriel protects methods like EJB does but without the overhead.

    It distinguishes itself from other frameworks by the ease of use with a small API and by mapping method access to permissions instead of persons. This way the same permissions can be used to protect method access and to check which GUI elements to show based on user permissions.

    Visit the home page: http://gabriel.codehaus.org

    Check out the Two minute tutorial
  2. Gabriel is a security framework for Java. By using access control lists and permissions, Gabriel enables components to check access to actions. On top of that Gabriel protects methods like EJB does but without the overhead.It distinguishes itself from other frameworks by the ease of use with a small API and by mapping method access to permissions instead of persons. This way the same permissions can be used to protect method access and to check which GUI elements to show based on user permissions.Visit the home page: http://gabriel.codehaus.orgCheck out the Two minute tutorial
    what is the status? Why dont you give a brief description of the permissions architechture
  3. I've found that mapping to permissions instead of principals is not enough. If you've got 100+ principals, and 50+ permissions (and our app do), then you're going to get problems with the overhead of the security administration.

    The solution we're using right now is to also introduce roles, which is an aggregation of permissions. Roles can then be assigned to principals, which may be single users or groups of users. This way a security administrator can do the typically difficult work of creating roles (e.g. "Admin role may do create,update,start,assign role. User role may only do update"), and "normal" administrators can then assign these roles to principals. If the system introduces more permissions it is then simply a matter of updating the roles with these new permissions, instead of having to assign the new permissions to all principals throughout the system.

    In addition to this we also assign roles to principals on a per-object basis. And in addition to this we also let these assignments be inherited if the object is in a structure, typically of the tree-kind.

    Overall this solution seems to minimize the overhead of doing security administration and makes it manageable even for large number of permissions, large number of principals, and a large number of objects. The task of doing security administration is often quite tedious, so effort should be spend on doing it as easily as possible, or it won't be done properly.
  4. Gabriel: Principal vs Subject[ Go to top ]

    The solution we're using right now is to also introduce roles, which is an aggregation of permissions. Roles can then be assigned to principals, which may be single users or groups of users.
    This seems to indicate to me that a Principal directly represents a user. In JAAS etc., a user is represented by a Subject, which may have any number of associated Principals. Now I'm not a security expert, but this is my understanding.

    A number of platforms and products use Principals to represent Roles, thereby allowing the association of Permissions to users via roles in a sustainable way. Of course, a "Role Principal" does not uniquely identifiy a Subject, but you can have "User Principals" for that.

    Oliver Kamps
    http://www.fiftybar.com
  5. Gabriel: Principal vs Subject[ Go to top ]

    This seems to indicate to me that a Principal directly represents a user. In JAAS etc., a user is represented by a Subject, which may have any number of associated Principals.
    I was simplifying the scenario. To be more precise, yes we use JAAS with Subjects which contain Principals, which (typically) are mapped to an LDAP directory.
  6. I always wondered who ever decided that letting a security officer modify a file, that will certainly never gets reloaded at runtime, and specify user access through some Java classes/methods names, instead of business related information, was a good idea :-)
  7. Helli Stephan,
    What about instance based authorization. Based on my experience its vital part of the most application.
    Example, in the forum user makes a post, and only creator (owner) of the post is able to change it. How it is supported by Gabriel.
    P.S. JAAS is also don't have support for instance based authorization, but it's extendable enough to add it manualy.
  8. Hello Stephan,
    What about instance based authorization. Based on my experience its vital part of the most application.
    Example, in the forum user makes a post, and only creator (owner) of the post is able to change it. How it is supported by Gabriel.
    P.S. JAAS is also don't have support for instance based authorization, but it's extendable enough to add it manualy.
  9. JAAS is also don't have support for instance based authorization, but it's extendable enough to add it manualy.
    How can you extend JAAS to support instance-based authorization? We've been looking at options for solving this kind of problem generically, and have come up empty. Each example of this seems to be based on application-specific data, and is tightly bound to the data access method (ie. "SELECT * FROM table WHERE owner_id = " + my_id).

    If you (or anyone else) can provide a more generic solution to this problem (JAAS or otherwise), we'd be thrilled to hear it!
  10. We've been looking at options for solving this kind of problem generically, and have come up empty. Each example of this seems to be based on application-specific data, and is tightly bound to the data access method (ie. "SELECT * FROM table WHERE owner_id = " + my_id).If you (or anyone else) can provide a more generic solution to this problem (JAAS or otherwise), we'd be thrilled to hear it!
    We solved this problem generically by using AOP. We implemented an ACL aspect, which contains the role->principal mappings, and introduce it on all objects which we want to assign security restrictions on.
  11. How can you extend JAAS to support instance-based authorization?
    Extend JAAS for class instance-level authorization

    http://www-106.ibm.com/developerworks/java/library/j-jaas/
  12. Hi!

    Indeed this is a very good article. Sean, you always have resources handy. A warning for those wanting to extends JAAS to implement instance based authorization. This solution implies the implementation of a new policy file, but this new policy file affects the entire instance of the JVM, so to implement some kind of authorization stuff in a web application, it would affect all the other web modules inside the same instance of the app server. I have no investigated further about this. Have someone else implemented such kind of solution? What are your experiences?


    Cheers


    Javier
  13. What you state is true. I did implement my own Policy and one of things I needed to address is continued support for sun's Policy (sun.security.provider.PolicyFile) implementation. What I did was to encapsulate PolicyFile in my own Policy implementation. And invocations to codebases other than the one I needed to secure, I delegated to PolicyFile. I haven't done any rigorous testing on the solution but it does seem to work for the obvious use cases. I used Catalina to experiment since it comes with a "simple" pattern to solve authentication and authorization. Look at the org.apache.catalina and org.apache.catalina.realm packages if you want to experiment. The developerworks article on instance based permission was my starting point to this whole excercise. I also spent a lot of time looking at sun's policy file implementation as well.

    Cheers
  14. hi!,
    this solution is implemented in the project called jGuard (http://sourceforge.net/projects/jguard).

    jGuard is based on JAAS, and permit to use it in a web application (for authentication AND authorizations management).

    it provide a policy implementation dedicated to jGuard permissions, and wrap the vendor jvm policy implementation for others permissions.

    the actual release is v0.52, and the shortcoming release(v0.60) will add some convenient api to handle permissions, Principal, and subjects (persisted in a database firstly) without coding some sql statements.
    these operations can be made dynamically,on the fly.

    any contributors are welcomed one the jGuard project.

    cheers,

    charles.
  15. Gabriel?[ Go to top ]

    As far as I remember, no matter what your credentials are, there is no way past Gabriel back into paradise....I am not sure that this is not a little bit too restrictive for your average security framework...

    Keep up the good work, Karl
  16. OSAccess[ Go to top ]

    About a year ago, I looked at the OSAccess library:

    http://www.opensymphony.com/osaccess/

    I decided not to use it because I didn't think there was a
    large community of users.