JAAS in Java2 1.4+ - Authentification with security manager

Concept/intro

You should already have read the previous JAAS example and now be familier with the most fundamental JAAS issues.

Anyway, the issue is JAAS authentication - preferably with a security manager to ensure that the code only performs specificly allowed operations. This both imposes restrictions on the client doing the logon and the bytecode performing operations on behalf of the client.

JAAS example source code

Code running here comes from the authentication example and may be downloaded from this jaas_authentication.zip file.

Security manager policy definitions

The client runs default without a security manager unless the JVM is started up with -Djava.security.manager or the code has performed a System.setSecurityManager(new java.rmi.SecurityManager());. ... or perhaps setting another custom security manager.

Without a security manager, everything is allowed. You may obtain the same situation _with_ a security manager and a policy file looking something like:

Config part 1 NoSecurity.policy


grant codebase "file:topsecurity.jar" {
  permission javax.security.auth.AuthPermission "*";
};

Or to narrow it more down to specific limitations in this example:

Config part 2 TopsecuritySecurity.policy


grant codebase "file:topsecurity.jar" {
  permission javax.security.auth.AuthPermission "createLoginContext";
  permission javax.security.auth.AuthPermission "modifyPrincipals";
};

We now may run the sample in following situations:

1) java -Djava.security.auth.login.config=TopsecurityLogin.conf -jar topsecurity.jar which is running without security manager and only fails if the typed redential is incorrect

2) java -Djava.security.manager -Djava.security.auth.login.config=TopsecurityLogin.conf -jar topsecurity.jar which is running _with_ secuirity manager - but without a policy file specified - in which case nothing is allowed - causing the process to fail before you even get a chance to enter a credential

3) java -Djava.security.manager -Djava.security.auth.login.config=TopsecurityLogin.conf -Djava.security.policy=TopsecuritySecurity.policy -jar topsecurity.jar finally running _with_ a security manager and _with_ a policy file.

4) java -Djava.security.manager -Djava.security.auth.login.config==TopsecurityLogin.conf -Djava.security.policy==TopsecuritySecurity.policy -jar topsecurity.jar running _with_ a security manager and _with_ a policy file - AND overriding any default policy settings (there is no default manager to override in this example).

Conclusion: case 1 is bad practice (you show you haven't completely understood about J2EE security anyway), case 2 is defunct practice, case 3/4 is recommended practice.

Running the JAAS authentication example

In the case 1) without any security manager at all:

Run successfull

In the case 2) with security manager - but without any security policy file:

No security manager

In the case 3) with security manager - and with a security policy file:

Security manager without policy file

In the case 4) with security manager - and with a security policy file overriding default security policy:

Security manager with policy file

Conclusion

You need a security manager in order to use JAAS at a proper level of security. Using policy files utilize the pluggable ability of JAAS. JAAS authentication is pluggable in the respect that another LoginModule may be specified in the policy file - and the client application code will authenticate according to other security rules without code re-compilation.

/www.topsecurity.dk (2004-1-20)

Ressource: Sun JAAS tutorial article