Security Manager

MRules provides out of the box a security manager, allowing  to control actions which can be performed by rules.

How it works

The global concept is fairly simple. A central repository (com.massa.util.security.MRulesSecurityManagers) allows to register one or several security managers (implementing com.massa.util.security.IMRulesSecurityManager), in général one per module.

Security managers can be declared in two ways:

  • Programmatically, with the repository API.
  • Via the configuration, see next chapters for the syntax.

Goal

The goal is not to control what the developer can or cannot do: it’s not the role of the MRules solution. But, it is to provide to the developper a way to manage what it’s possible to do with the rule engine.

For instance, it’s inconceivable that a user can configure a ruleset to call “System.exit()”

Default configuration

Data access layer

Natively, if invoked with access control, the data access layer forbids the following static access:

  • System.exit
  • Runtime.*
  • MRulesSecurityManagers.*

Rule engine

Natively, the rule engine invokes the data access layer with access control.

Also, system calls (via the “EXEC” action addon) are forbidden.

Override default configuration

Via global configuration

To override the default configuration, you can declare a new Security Manager in the “mrules-utils.xml” file. This file must have a priority superior to the default configuration file, which is “1”.

Example to override the property access layer configuration, in order to add a new forbidden static access:

<?xml version="1.0" encoding="UTF-8" standalone='no' ?>
<!DOCTYPE mrulesconfig SYSTEM "mrules-utils.dtd">
<mrulesconfig priority="2">
  <securityManager class="com.massa.util.security.MRulesUtilsSecurityManager">    
    <prohibitedStaticAccesses>System.exit</prohibitedStaticAccesses>
    <prohibitedStaticAccesses>Runtime.*</prohibitedStaticAccesses>
    <prohibitedStaticAccesses>MRulesSecurityManagers.*</prohibitedStaticAccesses>
    <prohibitedStaticAccesses>MyForbiddenClass.*</prohibitedStaticAccesses>
  </securityManager>
</mrulesconfig>

Example to override the rule engine configuration, in order to authorize system calls:

<?xml version="1.0" encoding="UTF-8" standalone='no' ?>
<!DOCTYPE mrulesconfig SYSTEM "mrules-utils.dtd">
<mrulesconfig priority="2">
  <securityManager class="com.massa.mrules.security.MRulesBreSecurityManager">
    <authorizeSystemCalls>true</authorizeSystemCalls>
  </securityManager>
</mrulesconfig>

Programmatically

Create a new instance of com.massa.util.security.MRulesUtilsSecurityManager or com.massa.mrules.security.MRulesBreSecurityManager, then use the com.massa.util.security.MRulesSecurityManagers API to register it in the globalrepository.

For a given execution

It’s possible to override security managers for a given execution. This can only be done programmatically.

The method “getSecurityManager” of the  compilation / execution context must be overriden.