JAZN, programmatic permission checks without SecurityManager

Hello All,

Questions to people who are familiar with OC4J security configuration
(specifically XML-based JAZN Security Provider).

I want to use java.security.AccessController.checkPermission() without SecurityManager in OC4J.

Imagine we have a method Library.deleteUserAccount() that requires any caller to have LibraryAdministratorRole. So we put simple check inside this method:

void deleteUserAccount() {

   AccessController.checkPermission (new LibraryAdminPermission());    .. code to delete account ...
}

and use OC4J's admintool define a policy that grants LibraryAdminPermission to LibraryAdministratorRole
(system-jazn-data.xml).

Here is the problem: At runtime I know that caller's context has LibraryAdministratorRole principal (oracle.security logger), yet LibraryAdminPermission is denied.

I can see that Policy.getPolicy() in the same context returns Java's default policy provider, even if I specify oracle.security.jazn.spi.PolicyProvider in JRE/lib/security/java.security file.

For certain reasons, I can't use declarative security provided by EJB descriptors or run server with security manager installed. This scenario works under Orion and Tomcat.

Any ideas, please?

Best Regards,
Andy Received on Wed Aug 30 2006 - 23:49:33 CDT