|
|
Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs
Page 2 of 6
A policy file syntax -- an extension to the Java 2 policy file -- looks like:
grant signedBy "alias", codeBase "URL",
principal principalClass "principalName",
principal principalClass "principalName",
... {
permission Type "name "action",
signedBy "alias";
permission Type "name "action",
signedBy "alias";
....
};
Here's an example entry:
grant CodeBase "http://foo.com",
Signedby "foo",
Principal com.sun.security.auth.NTPrincipal "admin" {
permission java.io.FilePermission "c:/user/admin", "read, write";
};
Notice that the policy file entries include a Principal entry, the basis for user-based authentication.
The JAAS classes and interfaces reside in the following packages:
javax.security.authjavax.security.auth.callbackjavax.security.auth.loginjavax.security.auth.spiThe classes and interfaces can be categorized as:
SubjectPrincipalCredentialLoginContextLoginModule interface
CallbackCallbackHandlerPolicyAuthPermissionPrivateCredentialPermissionLet's examine a few of the important classes and interfaces in more detail.
A Subject may be any entity, such as a person or service. Once authenticated, a Subject is populated with associated identities, or Principals. A Subject may have many Principals. For example, a person may have a name Principal ("Jane Doe") and a Social Security Number Principal ("111-22-3333"), that distinguish it from other Subjects. The getPrincipals() method retrieves the Principals associated with a Subject. The static method doAs() in Subject achieves the effect of having an action run as the subject. Based on whether this action is authorized, the action completes successfully or generates an exception.
The LoginContext class provides the basic methods to authenticate Subjects and a way to develop an application independent of the underlying authentication technology using a configuration file (which
we studied above). Actual authentication occurs with a call to the login() method.
Moving on, the LoginModule interface allows you to implement various authentication technologies that can be plugged under an application. Its important
methods include:
login()commit()abort()logout()Next, the CallbackHandler communicates with the user to obtain authentication information using callbacks.
Finally, the abstract Policy class represents the system-wide JAAS access-control policy.
Having looked at the JAAS classes briefly, let's try to build a LoginModule.
To authenticate and authorize a Subject, these steps are performed:
LoginContext.
LoginContext consults a Configuration file, along the lines of ones discussed above, to load the LoginModules configured for that application.
LoginContext's login() method.
login() method invokes the loaded LoginModules. Each LoginModule attempts to authenticate the Subject. Upon success, LoginModules associate relevant Principals and credentials with the Subject.
LoginContext returns the authentication status to the application.
Subject from the LoginContext.
Subject, fine-grained access controls can be placed upon that Subject by invoking the Subject.doAs() methods. The permissions granted to that Subject are configured in a JAAS policy.
The following code outline illustrates how application code uses the JAAS framework:
writeFileSSL.java source file, associated with this article, go to