JACC is the Java Authorization for Container Contracts specification. This allows one to externalize the implementation of the java.security.Policy class that is used to authorize the JACC defined permission. The JACC specification can be found here: Java Authorization Contract for Containers

The JBoss JACC Integration Service

org.jboss.security.jacc.SecurityService is the service which installs a java.security.Policy implementation that handles the JACC permission checks.

On startup this service looks to the JACC defined javax.security.jacc.policy.provider system property. If this is not specified, it defaults to org.jboss.security.jacc.DelegatingPolicy which is the JAAS based implementation described below.

The SecurityService also installs the javax.security.auth.Subject.container PolicyContextHandler key for the active Subject handler to provide access to the authenticated subject in the context of a call.

A minimal configuration for the SecurityService would be:

  <!-- JACC security manager and realm mapping -->
  <mbean code="org.jboss.security.jacc.SecurityService"
    name="jboss.security:service=JACCSecurityService" xmbean-dd="">
    <xmbean>
      <description>The JACC security Policy service</description>
      <operation>
        <description>The start lifecycle operation</description>
        <name>start</name>
      </operation>
      <operation>
        <description>The stop lifecycle operation</description>
        <name>stop</name>
      </operation>
    </xmbean>
  </mbean>

To actually incorporate this into the ejb and web containers requires

modifying the security layers of each. In the ejb container configurations,

the org.jboss.ejb.plugins.SecurityInterceptor needs to be replaced with the org.jboss.ejb.plugins.JaasAuthenticationInterceptor + org.jboss.ejb.plugins.JaccAuthorizationInterceptor pair as illustrated here:

 <container-configuration>
   <container-name>Standard Stateless SessionBean/JACC</container-name>
   <call-logging>false</call-logging>
   <invoker-proxy-binding-name>stateless-rmi-invoker</invoker-proxy-binding-name>
   <container-interceptors>
     <interceptor>org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor</interceptor>
     <interceptor>org.jboss.ejb.plugins.LogInterceptor</interceptor>
     <!-- Replaced the SecurityInterceptor with the JaasAuthenticationInterceptor
     JaccAuthorizationInterceptor pair
     -->
     <interceptor>org.jboss.ejb.plugins.JaasAuthenticationInterceptor</interceptor>
     <interceptor>org.jboss.ejb.plugins.JaccAuthorizationInterceptor</interceptor>
     <!-- CMT -->
     <interceptor transaction="Container">org.jboss.proxy.ejb.NoTxPropagationInterceptor</interceptor>
     <interceptor transaction="Container">org.jboss.ejb.plugins.TxInterceptorCMT</interceptor>
     <interceptor transaction="Container">org.jboss.ejb.plugins.CallValidationInterceptor</interceptor>
     <interceptor transaction="Container" metricsEnabled="true">org.jboss.ejb.plugins.MetricsInterceptor</interceptor>
     <interceptor transaction="Container">org.jboss.webservice.server.ServiceEndpointInterceptor</interceptor>
     <interceptor transaction="Container">org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor</interceptor>
     <!-- BMT -->
     <interceptor transaction="Bean">org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor</interceptor>
     <interceptor transaction="Bean">org.jboss.ejb.plugins.TxInterceptorBMT</interceptor>
     <interceptor transaction="Bean">org.jboss.ejb.plugins.CallValidationInterceptor</interceptor>
     <interceptor transaction="Bean" metricsEnabled="true">org.jboss.ejb.plugins.MetricsInterceptor</interceptor>
     <interceptor transaction="Bean">org.jboss.webservice.server.ServiceEndpointInterceptor</interceptor>
     <interceptor>org.jboss.resource.connectionmanager.CachedConnectionInterceptor</interceptor>
   </container-interceptors>
   <instance-pool>org.jboss.ejb.plugins.StatelessSessionInstancePool</instance-pool>
   <instance-cache></instance-cache>
   <persistence-manager></persistence-manager>
   <container-pool-conf>
     <MaximumSize>100</MaximumSize>
   </container-pool-conf>
 </container-configuration>

In the web container you need to edit the jbossweb-tomcat50.sar/server.xml and enable the JaccAuthorizationRealm over the default JBossSecurityMgrRealm as shown here:

<Server>
...
         <!-- The JAAS based authentication and authorization realm implementation
         that is compatible with the jboss 3.2.x realm implementation.
         <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"></Realm>
         -->
         <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
         behavior of JBossSecurityMgrRealm, but overrides the authorization
         checks to use JACC permissions with the current java.security.Policy
         to determine authorized access.
         -->
         <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"></Realm> 

The JAAS Based JACC Implementation

As of the 4.0.0 release, the default JACC implementation bundled with jboss is a mapping from the 3.2.x overloading of the JAAS authentication pattern which loads the user's declarative roles into the authenticated Subject. This is coupled to the default javax.security.jacc.PolicyConfigurationFactory.provider implementation class org.jboss.security.jacc.JBossPolicyConfigurationFactory. The complete set of classes making up the default JACC implementation include:

• org.jboss.security.jacc.DelegatingPolicy

• org.jboss.security.jacc.ContextPolicy

• org.jboss.security.jacc.JBossPolicyConfigurationFactory

• org.jboss.security.jacc.JBossPolicyConfiguration

A XACML based JACC Implementation

This does not currently exist. Its an alternate implementation.

Feature Request: JBAS-2673

Delegation to JACC providers for unsecured web resources

Starting jboss-4.0.4.GA, due to the feature request JBAS-2519, we can delegate to JACC provider for unsecured resources. JaccDelegationForUnsecuredWebResources

Bypass Authorization Checks in an external JACC Provider

Starting JBoss-4.2, due to feature request[JBAS-1824|http://jira.jboss.com/jira/browse/JBAS-1824], for role-name of  assigned to any security constraint in web.xml, the container generates a WebResourcePermission(uri,null). Based on this permission allocated to role name "", the policy provider may decide to bypass authorization.

Example: Test Policy http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/testsuite/src/main/org/jboss/test/jacc/test/allstarrole/AllStarRoleJaccPolicy.java