Protection Domains and Delegation Check out the new USENIX Web site.



next up previous
Next: Modes and Chaining Up: Delegation Previous: Delegation

Protection Domains and Delegation

In Java (as of release 1.2), a protection domain is created for each CodeSource. In SDM, this notion is extended to form PrincipalDomains based on CodeExecutors as well. A target (or intermediate) controls access to its methods based on protection domains, i.e., <PrincipalDomain, ProtectionDomain> pair. Access is then controlled via the permission associated with both the CodeExecutor and/or CodeSource.

SDM delegation protocols are based on the notion that when a client delegates its rights to one object in a domain (i.e., when it enables delegation before invoking on a target object), it effectively delegates its rights to all the objects in that domain. This is implemented via DelegationCertificates, that behave analogously to RoleCertificates. In particular, a DelegationCertificate passed to a delegate can only be used by the object it is issued for.

A set of security requirements is associated with each object. If an intermediate object needs delegation from initiator, it specifies the delegation mode in its security requirements. Depending on the context (see Section 4), a delegation session may be established. If the target does not need to further delegate actions, no delegation certificate is generated by the client.

When initiating a delegation session, information about the initiating principal (CodeExecutor) is associated with the context of invocation. This is propagated through the underlying layer to the remote server (target) and gets associated (principal and CodeSource pair) with a protection domain. The target may provide access based on the identity of an individual or based on privileges it has (based on its effective role during invocation).



Nataraj Nagaratnam
Mon Mar 16 18:02:57 EST 1998