Java Business Rule Engine (BRMS)MRules provides out of the box a security manager, allowing to control actions which can be performed by rules.
How it works
The global concept is fairly simple. A central repository (com.massa.util.security.MRulesSecurityManagers) allows to register one or several security managers (implementing com.massa.util.security.IMRulesSecurityManager), in général one per module.
Security managers can be declared in two ways:
- Programmatically, with the repository API.
- Via the configuration, see next chapters for the syntax.
Goal
The goal is not to control what the developer can or cannot do: it’s not the role of the MRules solution. But, it is to provide to the developper a way to manage what it’s possible to do with the rule engine.
For instance, it’s inconceivable that a user can configure a ruleset to call “System.exit()”
Default configuration
Data access layer
Natively, if invoked with access control, the data access layer forbids the following static access:
- System.exit
- Runtime.*
- MRulesSecurityManagers.*
Rule engine
Natively, the rule engine invokes the data access layer with access control.
Also, system calls (via the “EXEC” action addon) are forbidden.
Override default configuration
Via global configuration
To override the default configuration, you can declare a new Security Manager in the “mrules-utils.xml” file. This file must have a priority superior to the default configuration file, which is “1”.
Example to override the property access layer configuration, in order to add a new forbidden static access:
<?xml version="1.0" encoding="UTF-8" standalone='no' ?>
<!DOCTYPE mrulesconfig SYSTEM "mrules-utils.dtd">
<mrulesconfig priority="2">
<securityManager class="com.massa.util.security.MRulesUtilsSecurityManager">
<prohibitedStaticAccesses>System.exit</prohibitedStaticAccesses>
<prohibitedStaticAccesses>Runtime.*</prohibitedStaticAccesses>
<prohibitedStaticAccesses>MRulesSecurityManagers.*</prohibitedStaticAccesses>
<prohibitedStaticAccesses>MyForbiddenClass.*</prohibitedStaticAccesses>
</securityManager>
</mrulesconfig>
Example to override the rule engine configuration, in order to authorize system calls:
<?xml version="1.0" encoding="UTF-8" standalone='no' ?>
<!DOCTYPE mrulesconfig SYSTEM "mrules-utils.dtd">
<mrulesconfig priority="2">
<securityManager class="com.massa.mrules.security.MRulesBreSecurityManager">
<authorizeSystemCalls>true</authorizeSystemCalls>
</securityManager>
</mrulesconfig>
Programmatically
Create a new instance of com.massa.util.security.MRulesUtilsSecurityManager or com.massa.mrules.security.MRulesBreSecurityManager, then use the com.massa.util.security.MRulesSecurityManagers API to register it in the globalrepository.
For a given execution
It’s possible to override security managers for a given execution. This can only be done programmatically.
The method “getSecurityManager” of the compilation / execution context must be overriden.
