1 / 19

JAAS

JAAS. Qingyang Liu and Lingbo Wang CSCI 5931.01 Web Security April 2, 2003. Topics. JAAS. JAAS. JAAS stands for Java Authentication and Authorization Service. It grants permissions based on who is executing the code. JAAS uses Pluggable Authentication Modules(PAM) for authentication.

pkarns
Download Presentation

JAAS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. JAAS Qingyang Liu and Lingbo Wang CSCI 5931.01 Web Security April 2, 2003

  2. Topics • JAAS

  3. JAAS • JAAS stands for Java Authentication and Authorization Service. It grants permissions based on who is executing the code. • JAAS uses Pluggable Authentication Modules(PAM) for authentication. • Different modules can be plugged in, allowing the user to be authenticated against most PAM‑capable mechanisms. • JAAS will be integrated into J2EE, Java 2 Enterprise Edition and JDK 1.4.

  4. JAAS Classes • JAAS defines the following packages: • O javax.security.auth • O javax.security.auth.callback • O javax.security.auth.login • O javax.security.auth.spi

  5. Important ones • javax.security.auth.Subject • javax.security.auth.spi.LoginModule • javax.security.auth.login.Logincontext • javax.security.auth.login.Configuration • javax.security.auth.callback.Callback • javax.security.auth.callback.CallbackHandler

  6. Subject • The subject class represents a single entity using the system. A subject can possess one or more identities by an instance of java. security. Principal. The method getPrincipal () returns a Set of those principals. • Subjects also contain a list of credentials ( public and private). Credentials can be accessed via Subject. getPublicCredentials () and Subject. getPrivateCredentials ( ) . Credentials are just objects, and don't inherit from a superclass or implement an interface. • Subjects represent who is running the currently executing code. The active subject can be fetched with the static method Subject . getSubject () .

  7. LoginModule • LoginModule is an interface that must be implemented in order to provide authentication. • Multiple login modules can be used at a time, and JAAS will attempt to log in via each of them. JAAS can be configured to allow or deny logins based on which of those various attempts succeed. • Loginmodule defines five methods, initialize () , login(), commit () , abort ( ) , and logout ( ), to implement a two‑phase commit for authentication when using multiple authentication methods.

  8. LoginModule(cont.) • inltialize(Subject subject, CallbackHandler handler, Map sharedState, Map options) This method sets up the LoginModule to be used to attempt a login. • login() This method checks the credentials of the subject passed in earlier. How this is done is implementation‑dependent. • commit() If the necessary logins were successful, JAAS will call commit () on each login module. • abort() As the necessary login modules failed, the the abort () method is called. • logout() This method logs out a subject.

  9. LoginContext • The login context is used to actually log in. The code performing the authentication instantiates a LoginContext, which then uses a Configuration to determine which login modules to use to authenticate a subject. The code attempting to authenticate then calls login () on the LoginContext.

  10. Configuration • Configuration isan abstract class that defines how a LoginContext and Loginmodules should be used. • The main use of a configuration is to determine which login modules need to be called and states of the entire login process. There are four possibilities : O Required ‑ must succeed for the entire login to succeed. Even fails, the other login modules are queried. O Requisite ‑ If fails, the login process is short‑circuited and no more login modules are called. O Sufficient ‑ If this module succeeds and no required or requisite modules fail, the entire login succeeds. O Optional ‑ This modules' success doesn't impact on the remainder of the login process. If no sufficient, requisite, or required modules fail, the login succeeds, regardless of whether an optional module succeeds.

  11. Callback & CallbackHandler • The Callback interface contains no methods. It is simply there to tag classes that can be used to provide information from code attempting a login to the login module. • The CallbackHandler interface defines one method: handle (Callback [ ] callbacks).This method iterates through the callbacks provided and adds the requested information to each one.

  12. Authentication Example The handle() method Code in the book p.247 The getName () method The PasswordLoginmodule The initialize () method The login () method The commit () method The abort () method The logout () method

  13. Running the Example You should have the following files: O jaas.config O JAASSampleApp.java O PasswordLoginModule.java O PrincipalImpl.java UsernamePasswordCallbackHandler.Java  Compile them with: C:\> javac *.Java.

  14. Running the Example • We need to specify the location of the config file to the VM when we actually execute the application like so: • C:\> Java ‑Djava.security.auth.login.config== jaas.config JAASSampleApp testuser sasquatch • If all is successful, you should see your authenticated subject displayed like so: • Subject: • Principal: testuser • Otherwise, you will see the exception thrown.

  15. Authorization There are two types of authorization when using JAAS: declarative and programmatic. Just like in the servlet and EJB security models, we can define static configurations that allow and disallow access to resources, or we can write code that uses more sophisticated logic to determine how to dole out our resources based on who is running the code.

  16. Declarative Authorization • JAAS adds a new configuration directive to the policy file that defines permissions. We talked about the codebase and the signedby directive in Chapter 7, but now we're going to describe the Principal directive. This directive allows you to specify who must be running some code in order to have a certain permission. Here's a sample entry that you might use in a policy file: grant Principal PrincipalImpl "testuser" { permission java.io.FilePermission "c:\test\test.txt", "read,write"; }; • Declarative authorization is seldom actually used.

  17. Programmatic Authorization It can be valuable to determine who is running the current code. You can get the current subject by call the static method getSubject () in the Subject class. This method requires an instance of java. security. AccessControlContext, which can be retrieved by using the method getcontext () in Java. security. AccessController. The code likes: AccessControlContext context = Accesscontroller.getContext(); Subject subject = Subject.getSubject(context); The retrieved subject can then be checked for principals to see what action should be performed.  

  18. Programmatic Authorization • To run code as a specific subject, we need to use the Subject. doAs ( ) method, which takes a subject and a java. security. PrivilegedAction, and runs the action as the subject. ……  // Now were logged in, so we can get the //current subject. • Subject subject = loginContext.getSubject();// Perform the example action as the //authenticated subject. • subject.doAs(subject, new ExampleAction());

  19. Bibliography [1] J. Garms and D. Somerfield. Professional Java Security. Wrox Press Ltd., 2001, pp. 244–258. [2] Scott Oaks. Java Security, 2nd ed. O’Reilly, 2001. [3] J. Jaworski, et al. Java Security handbook. Sams Publishing, 2000. [4] http://java.sun.com/Java Security [5] http://java.sun.com/products/jaas

More Related