JAAS Qingyang Liu and Lingbo Wang CSCI 5931.01 Web Security April 2, 2003.

Slides:

Advertisements

Similar presentations

Operating System Security

Advertisements

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

1 Chapter 6: Extending classes and Inheritance. 2 Basics of Inheritance One of the basic objectives of Inheritance is code reuse If you want to extend.

Understanding WebLogic Security

Securing web applications using Java EE Dr Jim Briggs 1.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Copyright W. Howden1 Lecture 19: Intro to O/O Components.

Java 2 – Enterprise Edition Kevin J. LaFata April 21, 2003 UM – St. Louis.

EJB Security CSCI 5931 Web Security Kartikeya Kakarala Young Ho Choung.

J2EE Security and Enterprise Java Beans Mrunal G. Dhond Department of Computing and Information Sciences Master of Science, Final Defense February 26,

©The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 4 th Ed Chapter N - 1 Abstract Superclasses and Abstract Methods When.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

Java Enterprise Edition Java Web Development Structure of a web project Introduction to Web Applications The first project Introduction to Java Web Development.

©The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter Chapter 17 Animated Version Generics and Type Safety.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse 2.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

Java Authentication and Authorization Service (JAAS)

220 FINAL TEST REVIEW SESSION Omar Abdelwahab. INHERITANCE AND POLYMORPHISM Suppose you have a class FunClass with public methods show, tell, and smile.

CISC6795: Spring Object-Oriented Programming: Polymorphism.

Blackboard Building Blocks Framework and Security Monday, September 14, 2015 Tracy Engwirda, Senior Consultant – Asia Pacific.

Security in Java Sunesh Kumra S

Java Security Shmuel Babad CEO MidLink Computing LTD

Using JavaBeans and Custom Tags in JSP Lesson 3B / Slide 1 of 37 J2EE Web Components Pre-assessment Questions 1.The _____________ attribute of a JSP page.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

Message-Driven Beans and EJB Security Lesson 4B / Slide 1 of 37 J2EE Server Components Objectives In this lesson, you will learn about: Identify features.

© 2006 IBM Corporation IBM WebSphere Portlet Factory Architecture.

JSP Most of the web developers deploying web applications using servlets mixes the presentation logic and business logic. Separation of business logic.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

1 Web services and security ---discuss different ways to enforce security Presenter: Han, Xue.

Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.

JAVA AUTHENTICATION AND AUTHORIZATION SERVICE (JAAS)

Secure Credential Manager Claes Nilsson - Sony Ericsson

XML Registries Source: Java TM API for XML Registries Specification.

Creating competitive advantage Copyright © 2003 Enterprise Java Beans Presenter: Wickramanayake HMKSK Version:0.1 Last Updated:

JAVA SECURITY BASIC NETWORKING MULTITHREATING Deniz HASTORUN

Andrew S. Budarevsky Adaptive Application Data Management Overview.

SECURITY ISSUES. Introduction The.NET Framework includes a comprehensive set of security tools –Low-level classes and an overall framework –Managing code.

Kuali Identity Management Overview. Why did we write KIM? Common Interface for Kuali Applications Provide a Fully-Functional Product A Single API for:

A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.

Collaborate Lesson 4C / Slide 1 of 22 Collaborate Knowledge Byte In this section, you will learn about: The EJB timer service Message linking in EJB 2.1.

Copyright  2002 Urbancode Software Development, Inc. All Rights Reserved. Developing with JAAS Presented by Maciej Zawadzki

Server-side Programming The combination of –HTML –JavaScript –DOM is sometimes referred to as Dynamic HTML (DHTML) Web pages that include scripting are.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.

Preface IIntroduction Objectives I-2 Course Overview I-3 1Oracle Application Development Framework Objectives 1-2 J2EE Platform 1-3 Benefits of the J2EE.

N. HARIKA Lecturer(csc). 3 General Structure Of A Java Program.

DEVELOPING ENTERPRISE APPLICATIONS USING EJB

Java Programming: Advanced Topics 1 Enterprise JavaBeans Chapter 14.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.

Object orientation and Packaging in Java Object Orientation and Packaging Introduction: After completing this chapter, you will be able to identify.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

Enterprise Java v040918JBoss Security Setup1 Setting up Security in JBoss References: “Getting Started with JBoss, J2EE applications on the JBoss 3.2.x.

Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University

Enterprise Java Beans. Contents  Understanding EJBs  Practice Section.

The Object-Oriented Thought Process Chapter 03

Ask the Experts – Building Login-Based Sites in AEM

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Limiting Access to System Properties

Topic: Java Security Models

Web Applications and JAAS

Created by : Asst. Prof. Ashish Shah

Chapter 29: Program Security

Java Remote Method Invocation

Presentation transcript:

JAAS Qingyang Liu and Lingbo Wang CSCI Web Security April 2, 2003

Topics JAAS

JAAS JAAS stands for Java Authentication and Authorization Service. It grants permissions based on who is executing the code. JAAS uses Pluggable Authentication Modules(PAM) for authentication. Different modules can be plugged in, allowing the user to be authenticated against most PAM ‑ capable mechanisms. JAAS will be integrated into J2EE, Java 2 Enterprise Edition and JDK 1.4.

JAAS Classes JAAS defines the following packages: Ojavax.security.auth O javax.security.auth.callback Ojavax.security.auth.login Ojavax.security.auth.spi

Important ones javax.security.auth.Subject javax.security.auth.spi.LoginModule javax.security.auth.login.Logincontext javax.security.auth.login.Configuration javax.security.auth.callback.Callback javax.security.auth.callback.CallbackHan dler

Subject The subject class represents a single entity using the system. A subject can possess one or more identities by an instance of java. security. Principal. The method getPrincipal () returns a Set of those principals. Subjects also contain a list of credentials ( public and private). Credentials can be accessed via Subject. getPublicCredentials () and Subject. getPrivateCredentials ( ). Credentials are just objects, and don't inherit from a superclass or implement an interface. Subjects represent who is running the currently executing code. The active subject can be fetched with the static method Subject. getSubject ().

LoginModule LoginModule is an interface that must be implemented in order to provide authentication. Multiple login modules can be used at a time, and JAAS will attempt to log in via each of them. JAAS can be configured to allow or deny logins based on which of those various attempts succeed. Loginmodule defines five methods, initialize (), login(), commit (), abort ( ), and logout ( ), to implement a two ‑ phase commit for authentication when using multiple authentication methods.

LoginModule(cont.) inltialize(Subject subject, CallbackHandler handler, Map sharedState, Map options) This method sets up the LoginModule to be used to attempt a login. login() This method checks the credentials of the subject passed in earlier. How this is done is implementation ‑ dependent. commit() If the necessary logins were successful, JAAS will call commit () on each login module. abort() As the necessary login modules failed, the the abort () method is called. logout() This method logs out a subject.

LoginContext The login context is used to actually log in. The code performing the authentication instantiates a LoginContext, which then uses a Configuration to determine which login modules to use to authenticate a subject. The code attempting to authenticate then calls login () on the LoginContext.

Configuration Configuration is an abstract class that defines how a LoginContext and Loginmodules should be used. The main use of a configuration is to determine which login modules need to be called and states of the entire login process. There are four possibilities : ORequired ‑ must succeed for the entire login to succeed. Even fails, the other login modules are queried. ORequisite ‑ If fails, the login process is short ‑ circuited and no more login modules are called. OSufficient ‑ If this module succeeds and no required or requisite modules fail, the entire login succeeds. OOptional ‑ This modules' success doesn't impact on the remainder of the login process. If no sufficient, requisite, or required modules fail, the login succeeds, regardless of whether an optional module succeeds.

Callback & CallbackHandler The Callback interface contains no methods. It is simply there to tag classes that can be used to provide information from code attempting a login to the login module. The CallbackHandler interface defines one method: handle (Callback [ ] callbacks).This method iterates through the callbacks provided and adds the requested information to each one.

Authentication Example The handle() method Code in the book p.247 The getName () method The PasswordLoginmodule The initialize () method The login () method The commit () method The abort () method The logout () method

Running the Example You should have the following files: O jaas.config OJAASSampleApp.java OPasswordLoginModule.java OPrincipalImpl.java UsernamePasswordCallbackHandler.Ja va Compile them with: C:\> javac *.Java.

Running the Example We need to specify the location of the config file to the VM when we actually execute the application like so: C:\> Java ‑ Djava.security.auth.login.config== jaas.config JAASSampleApp testuser sasquatch If all is successful, you should see your authenticated subject displayed like so: Subject: Principal: testuser Otherwise, you will see the exception thrown.

Authorization There are two types of authorization when using JAAS: declarative and programmatic. Just like in the servlet and EJB security models, we can define static configurations that allow and disallow access to resources, or we can write code that uses more sophisticated logic to determine how to dole out our resources based on who is running the code.

Declarative Authorization JAAS adds a new configuration directive to the policy file that defines permissions. We talked about the codebase and the signedby directive in Chapter 7, but now we're going to describe the Principal directive. This directive allows you to specify who must be running some code in order to have a certain permission. Here's a sample entry that you might use in a policy file: grant Principal PrincipalImpl "testuser" { permission java.io.FilePermission "c:\test\test.txt", "read,write"; }; Declarative authorization is seldom actually used.

Programmatic Authorization It can be valuable to determine who is running the current code. You can get the current subject by call the static method getSubject () in the Subject class. This method requires an instance of java. security. AccessControlContext, which can be retrieved by using the method getcontext () in Java. security. AccessController. The code likes: AccessControlContext context = Accesscontroller.getContext(); Subject subject = Subject.getSubject(context); The retrieved subject can then be checked for principals to see what action should be performed.

Programmatic Authorization To run code as a specific subject, we need to use the Subject. doAs ( ) method, which takes a subject and a java. security. PrivilegedAction, and runs the action as the subject. …… // Now were logged in, so we can get the //current subject. Subject subject = loginContext.getSubject();// Perform the example action as the //authenticated subject. subject.doAs(subject, new ExampleAction());

Bibliography [1]J. Garms and D. Somerfield. Professional Java Security. Wrox Press Ltd., 2001, pp. 244–258. [2]Scott Oaks. Java Security, 2nd ed. O’Reilly, [3]J. Jaworski, et al. Java Security handbook. Sams Publishing, [4] Security [5]