Chapter 5. Access Control

Access control mechanisms that specify and enforce rules about who can access what form the basis for protecting and sharing resources among users of a multi-user system. To understand the basic idea behind access control, think of multi-user operating systems such as the different flavors of UNIX, Linux, and newer versions of MS Windows. These systems store user data in files. It is possible for a user to keep a particular file all for himself or herself or share it with others in read only or read-write mode. The operating system enforces the access control rules based on permissions associated with the files. Internally, these two operating systems take substantially different approaches to address the same problem. Under UNIX and Linux systems, the file access control mechanism can be summarized (with some loss of precision) as follows: a file has an owner and a group, different access rights (read, write or execute), and can be specified separately for the owner, group members and others. Windows NT and Windows 2000 have a more expressive, but somewhat complex mechanism to specify similar access rights.

Though the topic of access control often comes up in the context of operating systems, it is important to keep in mind that there are other multi-user systems that have a legitimate need for such mechanisms. Middleware systems such as RDBMSs (Relational Database Management Systems), transaction management systems, enterprise messaging systems, Web servers, and so on. need to provide restricted access to resources under their control. Similarly, multi-user enterprise applications, built on top of operating systems and middleware systems, employ access control mechanisms to protect data and ensure correct operation and integrity of the system.

In some scenarios, especially when you run programs downloaded from the Internet, there is a need to control access not only based on who is running the program but also where the code came from. You certainly don't want a game program downloaded from some website to read the financial data stored in your hard disk. At the same time, you may not mind sharing the same data files with a program downloaded from your bank's website as an aid to prepare tax filings. Although not very common in most computing environments, such a code-centric view of access control has been the driving force for Java's security model during the initial years of its evolution.

The field of access control technology is well researched and a wealth of knowledge exists. Keeping in line with the main focus of this book as a practitioner's tool, we skip the theoretical discussion, and simply go over some of the practical aspects of access control technology.

• The concept of a user is central to controlled access. Programs running on behalf of certain users are allowed access to specific system resources such as files, devices, disk space, network bandwidth, database tables and so on. This kind of user-based access control depends on successful user authentication. This process involves the user claiming an identity and the system verifying this identity claim.

• It makes sense for an execution environment for mobile code such as JVM to control access to certain resources based on particulars of the code: where did it come from (download URL) and/or who has signed it.

• What resources and operations a particular system puts under access control depends upon the nature and specific requirements of the system. For example, an operating system controls read, write and execute access to files; an RDBMS controls create, alter, insert, and select accesses to database tables; a messaging system controls create, write, read, and destroy accesses to messages queues; a store-front Web application controls access to shopping carts; and so on.

• Access control abstractions and mechanisms offered by an operating system or a middleware tend to be much more complex than those in end applications. This is primarily due to the fact that an operating system or a middleware must support multiple different applications that rely on these mechanisms.

• Access control mechanisms offered by a piece of software operate within the confines of those provided by the underlying platform. For example, an RDBMS may enforce access rules on tables for its users but has no control over the access rights of the operating system users on the files that store the tables.

In a number of ways the Java platform is like a middleware, sitting on top of the operating system and providing execution environment and other services to applications. What are the specific access control requirements for such a middleware? We answer this shortly. To start with, let us take a quick tour of Java access control features.