RMI SSL Selection Policy Configuration

An SSL RMI selection policy configuration is used to define the Java remote objects for which SSL security is recommended. This policy is consulted when one operates in the mode where SSL security is selectively applied to {@link com.sas.net.ssl.RMIConfiguration#SSL_SELECTION_MODE_SOME some} Java remote objects.

Default Selection Policy

A default selection policy file, packaged in the sas.core.net.jar, provides the policy to selectively secure only those classes for which security is recommended. This non-editable file provides the default selection policy.

Customizing the Selection Policy

If an application needs to customize the default selection policy, then it may either designate a custom selection policy configuration or use the {@link com.sas.net.ssl.RMIConfiguration#updateSelectionPolicy(java.util.Properties)} API to update the currently defined selection policy. Refer to SSLRMIConfiguration properties

Property	Description
{@link com.sas.net.ssl.RMIConfiguration#SSL_SELECTION_MODE_SOME}	Specify an SSL RMI configuration mode whereby SSL will be applied to some Java remote objects based upon the defined selection policy
{@link com.sas.net.ssl.RMIConfiguration#SSL_SELECTION_SELECTION_CONFIG_FILE}	Specify this property if the application is providing its own customized selection policy configuration file

Properties Configuration Syntax

A selection configuration is defined by name/value pairs which designate the recommended security policy for Java remote objects. The property name represents a fully-qualified Java class or package name while its associated value will be either true if SSL security is recommended or false otherwise.

Notes:

any value other than true will be interpreted as a false
if the selection control configuration does not contain an entry for a particular class then the selection preference for the parent or ancestor package will be checked.

Sample

Consider the following sample. Classes residing in package "com.sas" or below should not be secured unless an explicit statement is provided for a particular package or class. In this example, an explicit statement is provided for the Authentication Service stating that it should be secured. This setting would override the more general entries for its ancestor packages "com.sas.services" and "com.sas". The entry "com.sas.services.security=true" means that all classes in the "com.sas.services.user" package and its descendant packages will be secured unless explicitly specified otherwise. The best practice recommendation is to designate a preference for the root package in your name space and an explicit entry for each item for which security is recommended. Those remote object classes for which security is not recommended should be omitted from the selection configuration if the root package in your name space hierarchy is set to "false".

com.sas=false;
com.sas.services=false
com.sas.services.user.UserContext=true
com.sas.services.security=true

default - use a non-editable selective control file packaged in sas.svc.core.jar
custom - use a selective control file specified by the user