T E C H
T I P S
TIPS, TECHNIQUES, AND SAMPLE CODE
Subject
Principal
Client and LoginContext
Configuration File
Provider
Java Policy File
JAAS Policy File
Subject
In JAAS, a subject is some identity in a system that you want to
authenticate and to which you want to assign permissions. For
example, a subject can be a human user, a machine, or a process.
Subjects are represented by the javax.security.auth.Subject class.
Principal
Just as in the real world, a Subject can have relationships with
several different authorities. For example, you might have one
password and set of privileges at your bank, and a different
password and set for of privileges for your voice mail. In this
example, the authorities are the bank and the voice mail system.
In JAAS, a Subject's multiple interactions with authorities are
are represented by classes that implement the
java.security.Principal interface. So a Principal is a class
that represents a subject's interactions with an authority.
A Principal simply knows its name and provides sensible overrides
for the Object methods, as the following SimplePrincipal class
demonstrates.
Note: You'll use this class and other components in an
application that uses JAAS. Don't try to compile and use this
class individually. Instructions for building and running
the application are in the tip that follows this one, titled
"Using JAAS."
import java.security.Principal;
public final class SimplePrincipal implements Principal {
private final String name;
public SimplePrincipal(String name) {
if (name == null) {
throw new IllegalArgumentException(
"Name cannot be null");
}
this.name = name;
}
public int hashCode() {
return name.hashCode();
}
public java.lang.String getName() {
return name;
}
public java.lang.String toString() {
return "SimplePrincipal: " + name;
}
public boolean equals(java.lang.Object obj) {
if (obj == null) return false;
if (!(obj instanceof SimplePrincipal)) return false;
SimplePrincipal other = (SimplePrincipal) obj;
return name.equals(other.getName());
}
}
Client and LoginContext
In order to associate a Principal with a Subject, clients must
login. JAAS provides a concrete class, LoginContext, that acts as
a session with a group of one or more authentication providers.
The following JAASClient class demonstrates using a LoginContext:
import
import
import
import
java.util.Iterator;
java.security.PrivilegedAction;
javax.security.auth.Subject;
javax.security.auth.login.LoginContext;
loginAndDoSomething();
}
catch (Exception e) {
e.printStackTrace();
}
}
public static void loginAndDoSomething() throws Exception {
LoginContext ctx = new LoginContext("SimpleLogin");
ctx.login();
Subject subj = ctx.getSubject();
System.out.println("Login assigned these principals: ");
Iterator it = subj.getPrincipals().iterator();
while (it.hasNext())
System.out.println("\t" + it.next());
Subject.doAs(subj, new PrivilegedAction() {
public Object run() {
System.out.println("You live at " +
System.getProperty("user.home"));
return null;
}
});
ctx.logout();
}
}
The LoginContext constructor prepares to authenticate based on a
named configuration. In this case, the configuration is named
SimpleLogin (more on this in a moment). The call to login then
causes the LoginContext to call one or more authentication
providers. The call to getSubject returns a Subject that contains
any Principals that the authenticators chose to assign. The doAs
method then attempts a secured operation, which will succeed if
one of the Principals has the appropriate Permission.
The call to getPrincipals is for debugging; it prints the
Principals that login assigned to the Subject.
Configuration File
The LoginContext finds the named configuration from a
configuration file that looks like this:
//File conf/simple.conf
SimpleLogin {
SimpleLoginModule required;
};
This file tells the LoginContext to load a class named
SimpleLoginModule, which is a service provider for some
authentication strategy. The "required" means that this class's
approval is necessary for login to succeed. The LoginContext
allows multiple authentication providers to be used in tandem, in
which case, additional entries would appear inside the
SimpleLogin block.
Provider
java.io.*;
java.util.*;
java.security.Principal;
javax.security.auth.Subject;
javax.security.auth.callback.CallbackHandler;
javax.security.auth.spi.LoginModule;
The example code shown above is quite simple. Here are some
other experiments you could try:
o A real authentication provider should not use System.in and
System.err. The CallbackHandler interface is provided for this
purpose. Rewrite the SimpleLoginModule to use a
CallbackHandler provided by the client.
o Providers do not actually need AllPermission. To discover the
permissions that are really needed, remove the AllPermission
entries from the JAASProvider.policy file. Then, run the
application with the -Djava.security.debug=access,failure flag
to dump the name of permission checks that are failing. When
you see a permission fail, add it back to the security file and
try again. Warning: This will take a while! But, if you
investigate each permission as you go, you will gain an
intimate understanding of how JAAS works.
To learn more about JAAS 1.0, see the Java Authentication and
Authorization Service (JAAS) 1.0 page:
( http://java.sun.com/products/jaas/index-10.html ). Scroll down
on that page to the "More Info" section for several useful links.
The 1.4 version of Java 2 Platform, Standard Edition incorporates
JAAS. A beta version of J2SE(tm) version 1.4 is available for
download at http://java.sun.com/j2se/1.4/
. . . . . . . . . . . . . . . . . . . . . .
- NOTE
Sun respects your online time and privacy. The Java Developer
Connection mailing lists are used for internal Sun Microsystems(tm)
purposes only. You have received this email because you elected
to subscribe. To unsubscribe, go to the Subscriptions page
(http://developer.java.sun.com/subscription/), uncheck the
appropriate checkbox, and click the Update button.
As of May 22, 2001, Sun Microsystems updated its Privacy Policy
(http://sun.com/privacy) to give you a better understanding of
Sun's Privacy Policy and Practice. If you have any questions,
contact privacy@sun.com.
- SUBSCRIBE
To subscribe to a JDC newsletter mailing list, go to the
Subscriptions page (http://developer.java.sun.com/subscription/),
choose the newsletters you want to subscribe to, and click Update.
- FEEDBACK
Comments? Send your feedback on the JDC Tech Tips to:
jdc-webmaster@sun.com
- ARCHIVES
You'll find the JDC Tech Tips archives at:
http://java.sun.com/jdc/TechTips/index.html
- COPYRIGHT
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
901 San Antonio Road, Palo Alto, California 94303 USA.
This document is protected by copyright. For more information, see:
http://java.sun.com/jdc/copyright.html