Feedback |
This tutorial expands the program and policy file developed in the JAAS Authentication tutorial to demonstrate the JAAS authorization component, which ensures the authenticated caller has the access control rights (permissions) required to do subsequent security-sensitive operations. Since the authorization component requires that the user authentication first be completed, please read the JAAS Authentication tutorial first if you have not already done so.
The rest of this tutorial consists of the following sections:
If you want to first see the tutorial code in action, you can skip
directly to Running the Authorization Tutorial Code
and then go back to the other sections to learn more.
What is JAAS Authorization?
JAAS authorization extends the existing Java security architecture that uses a security policy to specify what access rights are granted to executing code. That architecture, introduced in the Java 2 platform, is code-centric. That is, the permissions are granted based on code characteristics: where the code is coming from and whether it is digitally signed and if so by whom. We saw an example of this in the
jaasacn.policy
file used in the JAAS Authentication tutorial. That file contains the following:grant codebase "file:./JaasAcn.jar" { permission javax.security.auth.AuthPermission "createLoginContext.JaasSample"; };This grants the code in the
JaasAcn.jar
file, located in the current directory, the specified permission. (No signer is specified, so it doesn't matter whether the code is signed or not.)JAAS authorization augments the existing code-centric access controls with new user-centric access controls. Permissions can be granted based not just on what code is running but also on who is running it.
When an application uses JAAS authentication to authenticate the user (or other entity such as a service), a Subject is created as a result. The purpose of the Subject is to represent the authenticated user. A Subject is comprised of a set of Principals, where each Principal represents an identity for that user. For example, a Subject could have a name Principal ("Susan Smith") and a Social Security Number Principal ("987-65-4321"), thereby distinguishing this Subject from other Subjects.
Permissions can be granted in the policy to specific Principals. After the user has been authenticated, the application can associate the Subject with the current access control context. For each subsequent security-checked operation, (a local file access, for example), the Java runtime will automatically determine whether the policy grants the required permission only to a specific Principal and if so, the operation will be allowed only if the Subject associated with the access control context contains the designated Principal.
To make JAAS authorization take place, the following is required:
- The user must be authenticated, as described in the JAAS Authentication tutorial.
- Principal-based entries must be configured in the security policy.
- The Subject that is the result of authentication must be associated with the current access control context.
How Do You Make Principal-Based Policy File Statements?
Policy file
grant
statements can now optionally include one or more Principal fields. Inclusion of a Principal field indicates that the user or other entity represented by the specified Principal, executing the specified code, has the designated permissions.Thus, the basic format of a
grant
statement is nowwhere each of the signer, codeBase and Principal fields is optional and the order between the fields doesn't matter.grant <signer(s) field>, <codeBase URL> <Principal field(s)> { permission perm_class_name "target_name", "action"; .... permission perm_class_name "target_name", "action"; };A Principal field looks like the following:
Principal Principal_class "principal_name"That is, it is the word "Principal" (where case doesn't matter) followed by the (fully qualified) name of a Principal class and a principal name.
A Principal class is a class that implements the java.security.Principal interface. All Principal objects have an associated name that can be obtained by calling their
getName
method. The format used for the name is dependent on each Principal implementation.The type of Principal placed in the Subject created by the Kerberos authentication mechanism used by this tutorial is
javax.security.auth.kerberos.KerberosPrincipal
, so that is what should be used as thePrincipal_class
part of ourgrant
statement's Principal designation. User names forKerberosPrincipal
s are of the form "name@realm". Thus, if the user name is "mjones" and the realm is "KRBNT-OPS.ABC.COM", the fullprincipal_name
designation to use in thegrant
statement is "mjones@KRBNT-OPS.ABC.COM".It is possible to include more than one Principal field in a
grant
statement. If multiple Principal fields are specified, then the permissions in thatgrant
statement are granted only if the Subject associated with the current access control context contains all of those Principals.To grant the same set of permissions to different Principals, create multiple
grant
statements where each lists the permissions and contains a single Principal field designating one of the Principals.The policy file for this tutorial includes one
grant
statement with a Principal field:where you substitute your Kerberos user name (complete with "@" and realm) for "grant codebase "file:./SampleAction.jar", Principal javax.security.auth.kerberos.KerberosPrincipal "your_user_name@your_realm" { permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "foo.txt", "read"; };your_user_name@your_realm
".This specifies that the indicated permissions are granted to the specified principal executing the code in
SampleAction.jar
.How Do You Associate a Subject with an Access Control Context?
To create and associate a Subject with an access control context, you need the following:
- The user must first be authenticated, as described in JAAS Authentication.
- The static
doAs
method from the Subject class must be called, passing it an authenticated Subject and a java.security.PrivilegedAction or java.security.PrivilegedExceptionAction. (See API for Privileged Blocks for a comparison of PrivilegedAction and PrivilegedExceptionAction.) ThedoAs
method associates the provided Subject with the current access control context and then invokes therun
method from the action. Therun
method implementation contains all the code to be executed as the specified Subject. The action thus executes as the specified Subject.The static
doAsPrivileged
method from the Subject class may be called instead of thedoAs
method. In addition to the parameters passed todoAs
,doAsPrivileged
requires a third parameter: an AccessControlContext. UnlikedoAs
, which associates the provided Subject with the current access control context,doAsPrivileged
associates the Subject with the provided access control context. See doAs vs. doAsPrivileged in the JAAS Reference Guide for a comparison of those methods.
The code for this tutorial consists of two files:
- JaasAzn.java is exactly the same as the
JaasAcn.java
from the JAAS Authentication tutorial except for the additional code needed to callSubject.doAsPrivileged
.
- SampleAction.java contains the SampleAction class. This class implements PrivilegedAction and has a
run
method that contains all the code we want to be executed with Principal-based authorization checks.JaasAzn.java
JaasAzn.java is exactly the same as the
JaasAcn.java
code used in the previous tutorial except with three statements added at the end of themain
method, after the authentication is done. These statements result in (1) association of a Subject representing the authenticated user with the current access control context and (2) execution of the code in therun
method of SampleAction. Associating the Subject with the access control context enables security-sensitive operations in the SampleActionrun
method (and any code it invokes directly or indirectly) to be executed if a Principal representing the authenticated user is granted the required permissions in the current policy.Like
JaasAcn.java
,JaasAzn.java
instantiates a LoginContextlc
and calls itslogin
method to perform the authentication. If successful, the authenticated Subject (which includes a Principal representing the user) is obtained by calling the LoginContext'sgetSubject
method:Subject mySubject = lc.getSubject();The
main
method then callsSubject.doAsPrivileged
, passing it the authenticated SubjectmySubject
, a PrivilegedAction (SampleAction) and anull
AccessControlContext, as described in the following.The SampleAction class is instantiated via the following:
PrivilegedAction action = new SampleAction();The call to
Subject.doAsPrivileged
is performed via:Subject.doAsPrivileged(mySubject, action, null);The
doAsPrivileged
method invokes execution of therun
method in the PrivilegedActionaction
(SampleAction) to initiate execution of the rest of the code, which is considered to be executed on behalf of the SubjectmySubject
.Passing
null
as the AccessControlContext (third) argument todoAsPrivileged
indicates thatmySubject
should be associated with a new empty AccessControlContext. The result is that security checks occurring during execution of SampleAction will only require permissions for the SampleAction code itself (or other code it invokes), running asmySubject
. Note that the caller ofdoAsPrivileged
(and the callers on the execution stack at the timedoAsPrivileged
was called) do not require any permissions while the action executes.SampleAction.java
SampleAction.java contains the SampleAction class. This class implements
java.security.PrivilegedAction
and has arun
method that contains all the code we want to be executed as the SubjectmySubject
. For this tutorial, we will perform three operations, each of which cannot be done unless code has been granted required permissions. We will:
- Read and print the value of the
java.home
system property,
- Read and print the value of the
user.home
system property, and
- Determine whether or not a file named
foo.txt
exists in the current directory.Here is the code:
import java.io.File; import java.security.PrivilegedAction; public class SampleAction implements PrivilegedAction { public Object run() { System.out.println("\nYour java.home property value is: " + System.getProperty("java.home")); System.out.println("\nYour user.home property value is: " + System.getProperty("user.home")); File f = new File("foo.txt"); System.out.print("\nfoo.txt does "); if (!f.exists()) System.out.print("not "); System.out.println("exist in the current working directory."); return null; } }
The login configuration file used for this tutorial can be exactly the same as that used by the JAAS Authentication tutorial. Thus we can use jaas.conf, which contains just one entry:
JaasSample { com.sun.security.auth.module.Krb5LoginModule required; };This entry is named "JaasSample" and that is the name that both our tutorial applications
JaasAcn
andJaasAzn
use to refer to it. The entry specifies that the LoginModule to be used to do the user authentication is the Krb5LoginModule in thecom.sun.security.auth.module
package and that this Krb5LoginModule is required to "succeed" in order for authentication to be considered successful. The Krb5LoginModule succeeds only if the name and password supplied by the user are successfully used to log the user into the Kerberos KDC.
This authorization tutorial contains two classes,
JaasAzn
andSampleAction
. The code in each class contains some security-sensitive operations and thus relevant permissions are required in a policy file in order for the operations to be executed.Permissions Required by JaasAzn
The main method of the
JaasAzn
class does two operations for which permissions are required. It
- creates a LoginContext, and
- calls the
doAsPrivileged
static method of the Subject class.The LoginContext creation is exactly the same as was done in the authentication tutorial, and it thus needs the same
javax.security.auth.AuthPermission
permission with target "createLoginContext.JaasSample
".In order to call the
doAsPrivileged
method of the Subject class, you need to have ajavax.security.auth.AuthPermission
with target "doAsPrivileged
".Assuming the
JaasAzn
class is placed in a JAR file namedJaasAzn.jar
, these permissions can be granted to theJaasAzn
code via the followinggrant
statement in the policy file:grant codebase "file:./JaasAzn.jar" { permission javax.security.auth.AuthPermission "createLoginContext.JaasSample"; permission javax.security.auth.AuthPermission "doAsPrivileged"; };Permissions Required by SampleAction
The
SampleAction
code does three operations for which permissions are required. It
- reads the value of the "java.home" system property.
- reads the value of the "user.home" system property.
- checks to see whether or not a file named
foo.txt
exists in the current directory.The permissions required for these operations are the following:
permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "foo.txt", "read";We need to grant these permissions to the code in
SampleAction.class
, which we will place in a JAR file namedSampleAction.jar
. However, for this particulargrant
statement we want to grant the permissions not just to the code but to a specific user executing the code, to demonstrate how to restrict access to a particular user.Thus, as explained in How Do You Make Principal-Based Policy File Statements?, our
grant
statement looks like the following:You substitute your Kerberos user name (complete with "@" and realm) for "grant codebase "file:./SampleAction.jar", Principal javax.security.auth.kerberos.KerberosPrincipal "your_user_name@your_realm" { permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "foo.txt", "read"; };your_user_name@your_realm
". For example, if your user name is "mjones" and your realm is "KRBNT-OPERATIONS.ABC.COM", you would use "mjones@KRBNT-OPERATIONS.ABC.COM" (complete with the quotes).The Full Policy File
The full policy file is jaasazn.policy.
To execute our JAAS authorization tutorial code, all you have to do is
- Place the following files into a directory:
- The JaasAzn.java source file.
- The SampleAction.java source file.
- The jaas.conf login configuration file.
- The jaasazn.policy policy file.
- Replace "your_user_name@your_realm" in
jaasazn.policy
with your user name and realm.
- Compile
SampleAction.java
andJaasAzn.java
:javac SampleAction.java JaasAzn.java- Create a JAR file named
JaasAzn.jar
containingJaasAzn.class
:jar -cvf JaasAzn.jar JaasAzn.class- Create a JAR file named
SampleAction.jar
containingSampleAction.class
:jar -cvf SampleAction.jar SampleAction.class- Execute the
JaasAzn
application, specifying
- by an appropriate
-classpath
clause that classes should be searched for in theJaasAzn.jar
andSampleAction.jar
JAR files,
- by
-Djava.security.manager
that a security manager should be installed,
- by
-Djava.security.krb5.realm=<your_realm>
that your Kerberos realm is the one specified.
- by
-Djava.security.krb5.kdc=<your_kdc>
that your Kerberos KDC is the one specified.
- by
-Djava.security.policy=jaasazn.policy
that the policy file to be used isjaasazn.policy
, and
- by
-Djava.security.auth.login.config=jaas.conf
that the login configuration file to be used isjaas.conf
.Below are the full commands to use for both Win32 and Unix systems. The only difference is that on Win32 systems you use semicolons to separate classpath items, while you use colons for that purpose on Unix systems. Be sure to replace
<your_realm>
with your Kerberos realm, and<your_kdc>
with your Kerberos KDC.Here is the full command for Win32 systems:
java -classpath JaasAzn.jar;SampleAction.jar -Djava.security.manager -Djava.security.krb5.realm=<your_realm> -Djava.security.krb5.kdc=<your_kdc> -Djava.security.policy=jaasazn.policy -Djava.security.auth.login.config=jaas.conf JaasAznHere is the full command for UNIX systems:
java -classpath JaasAzn.jar:SampleAction.jar -Djava.security.manager -Djava.security.krb5.realm=<your_realm> -Djava.security.krb5.kdc=<your_kdc> -Djava.security.policy=jaasazn.policy -Djava.security.auth.login.config=jaas.conf JaasAznType the full command on one line. Multiple lines are used here for legibility. If the command is too long for your system, you may need to place it in a .bat file (for Win32) or a .sh file (for UNIX) and then run that file to execute the command.
You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the message "Authentication succeeded!" and if not, you will see "Authentication Failed."
For login troubleshooting suggestions, see Troubleshooting.
Once authentication is successfully completed, the rest of the program (in
SampleAction
) will be executed on behalf of you, the user, requiring you to have been granted appropriate permissions. Thejaasazn.policy
policy file grants you the required permissions, so you will see a display of the values of yourjava.home
anduser.home
system properties and a statement as to whether or not you have a file namedfoo.txt
in the current directory.
Feedback |