Jaas Introduction. Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer.

Slides:



Advertisements
Similar presentations
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Advertisements

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Java security (in a nutshell)
COEN 351: E-Commerce Security
Java Security CS-328. JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)
Dan Sedlacek CTO, Systems Management Group Sterling Software Java Security and Encryption.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Understanding WebLogic Security
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Securing web applications using Java EE Dr Jim Briggs 1.
Java Remote Object Invocation (RMI) Overview of RMI Java RMI allowed programmer to execute remote function class using the same semantics as local functions.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
1 Lecture 4 George Koutsogiannakis/Summer 2011 CS441 CURRENT TOPICS IN PROGRAMMING LANGUAGES.
Certificates By Purvi Shah. What is a Certificate A certificate is basically a digitally signed statement from one entity (person, company, etc.), saying.
Certificates, SSL and IPsec Ahmed Muaydh Sara Bin Saif Shi-Jey Chou Advisor:Dr. Leszek Lilien.
Linux Security.
1 Homework Study Java Cryptography by Reading the rest of slides and accessing Sun ’ s Java website:
A Framework for Smart Proxies and Interceptors in RMI Nuno Santos P. Marques, L. Silva CISUC, University of Coimbra, Portugal
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.
CSCI 6962: Server-side Design and Programming
Signing, Sealing, and Guarding Java TM Objects Li Gong and Roland Schemers Javasoft, Sun Microsystems, Inc. “In This Paper, We Describe a Few New Constructs.
Java Authentication and Authorization Service (JAAS)
1 Java Programming II Java Network II (Distributed Objects in Java)
Blackboard Building Blocks Framework and Security Monday, September 14, 2015 Tracy Engwirda, Senior Consultant – Asia Pacific.
© Blackboard, Inc. All rights reserved. Security and Authentication Security and Authentication Tracy Engwirda Principal Consultant Blackboard Inc. July.
Java Security Shmuel Babad CEO MidLink Computing LTD
JAAS Qingyang Liu and Lingbo Wang CSCI Web Security April 2, 2003.
© Blackboard, Inc. All rights reserved. Security and Authentication with Blackboard Building Blocks™ David Ashman Senior Software Architect, Product Development.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Announcements Assignment 3 due. Invite friends, co-workers to your presentations. Course evaluations on Friday.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.
JAVA AUTHENTICATION AND AUTHORIZATION SERVICE (JAAS)
Secure Credential Manager Claes Nilsson - Sony Ericsson
Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Java 2 security model Valentina Casola. Components of Java the development environment –development lifecycle –Java language features –class files and.
ECommerce for software ICE525 Chung Sukwon, Lee Ilnam.
16-1 Developer Libraries and Services Learning Objectives: ● This module will help you... – Learn about optional JXTA libraries and services – Understand.
A Secure JBoss Platform Nicola Mezzetti Acknowledgments: F. Panzieri.
Java Remote Object Invocation (RMI) Overview of RMI Java RMI allowed programmer to execute remote function class using the same semantics as local functions.
Copyright  2002 Urbancode Software Development, Inc. All Rights Reserved. Developing with JAAS Presented by Maciej Zawadzki
Csci5931 Web Security1 Java Security Model (GS: Ch. 7)
1 Session 3 Module 4: Java Security Module 5: Cryptography.
©2004 BLACKBOARD, INC. ALL RIGHTS RESERVED. Security and Authentication Security and Authentication Thursday, December 17, 2015.
Java Security Session 19. Java Security / 2 of 23 Objectives Discuss Java cryptography Explain the Java Security Model Discuss each of the components.
Java Security cont’d. Using SecurityManager  The basic SecurityManager architecture is simple. Throughout the JDK, the Java security team had to:  Identify.
1 Session 4 Module 6: Digital signatures. Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent.
15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.
8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.
TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Java Object-Relational Layer Sharon Diskin GUS 3.0 Workshop June 18-21, 2002.
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.
SESSION 1 Introduction in Java. Objectives Introduce classes and objects Starting with Java Introduce JDK Writing a simple Java program Using comments.
Web Security CS-431.
Java security (in a nutshell)
Limiting Access to System Properties
Topic: Java Security Models
Web Applications and JAAS
Java Remote Method Invocation
Plug-In Architecture Pattern
Presentation transcript:

Jaas Introduction

Outline l General overview of Java security Java 2 security model How is security maintained by Java and JVM? How can a programmer ensure security? l Java Authentication and Authorization Service (JAAS (pronounced jazz) ) What is JAAS? How can it be used? (with code samples)

Java-Technology based Security l Strongly typed l Byte code verification l Runtime type safety checks l Class loaders l Security managers

JDK 1.0 Security Model l The “Sandbox“ Model

JDK 1.1 Security Model l The concept of “signed“ applet

Java 2 Security Model (JDK 1.2 and higher) l Fine grained access control using security policies

Example: Java Security package demo.jaas; import java.io.File; public class UnAuthenticatedClient { public static void main(String[] args) { File f = new File("ProtectedFile.txt"); System.out.print( "\nProtectedFile.txt does "); if (!f.exists()) System.out.print("not "); System.out.println("exist."); } } A very simple program (UnAuthenticatedClient.java) : grant codebase "file:C:/demo/jaas/noauth_client.jar" { permission java.io.FilePermission "ProtectedFile.txt", "read"; }; The security policy for the “ProtectedFile.txt“ (noauth_java.policy) :

Example: Java Security 2 java –classpath C:\demo\jaas\noauth_client.jar -Djava.security.manager –Djava.security.policy==C:\demo\jaas\noauth_java.policy demo.jaas.UnAuthenticatedClient Execute program using SecurityManager and policy file: grant codebase "file:C:/demo/jaas/noauth_client.jar“ { }; Case 1: Change policy file to (and execute):  Exception because no permission Case 2: Move original files from C:\demo\jaas to C:\temp and execute  Exception because code comes no longer from C:\demo\jaas\noauth_client.jar grant codebase "file:C:/demo/jaas/noauth_client.jar" { permission java.io.FilePermission "ProtectedFile.txt", "read"; }; grant signed by aheusser codebase “file:C:/demo/jaas/noauth_client.jar“ { permission java.io.FilePermission "ProtectedFile.txt", "read,write"; } Case 3: Change policy file to (and execute):

Why use JAAS? l Java Security is code-centric (permissions granted based on code characteristics) l JAAS allows Authentication: reliably and securely determine who is currently executing Java code Authorization: ensure users have access control rights (permissions) required to do the actions performed

Architecture of JAAS Packages: javax.security.auth, javax.security.auth.callback, javax.security.auth.login, javax.security.auth.spi Common classes: Subject, Principal, Credential Authentication classes: LoginContext, LoginModule, Callback, CallbackHandler Authorization classes: Policy, AuthPermission, PrivateCredentialPermission

JAAS Authentication l Authentication performed in pluggable fashion Java applications remain independent from underlying authentication technologies

JAAS Authentication 2 To authenticate a subject (user or service) following steps are performed: 1. Application instantiates a LoginContext - LoginContext needs a string that indexes an entity in the config file - A CallbackHandler is optional (needed if user interaction is required) 2. LoginContext consults a Configuration to load all required LoginModules 3. Application calls LoginContext‘s login() method 4. Login method invokes all LoginModules - each LoginModule attemps to authenticate the subject 5. The LoginContext returns the authentication status to the app. 6. If authentication successful, application retrieves the subject

Example: JAAS Authentication JAASArticle { demo.jaas.LoginModuleImpl required debug=true fileName=passwords; }; File: jaas.config java -Djava.security.auth.policy=jaas.config... Start of program:... // use the configured LoginModules for the "JAASArticle" entry LoginContext lc = null; try { lc = new LoginContext( "JAASArticle", new MyCallbackHandler()); } catch (LoginException le) { le.printStackTrace(); System.exit(-1); }... try { // attempt authentication lc.login(); } catch (LoginException e) { System.out.println( e.getMessage()); System.exit(-1); }... lc.logout(); File: AuthorizedClient.java:

Example: JAAS Authentication 2 class MyCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof NameCallback) { // prompt the user for a username and store it in the NameCallback.... } else if (callbacks[i] instanceof PasswordCallback) { // prompt the user for sensitive information an store it in the // PasswordCallback.... } else { throw new UnsupportedCallbackException(callbacks[i],"Unrecognized Callback"); } } }.... } File: MyCallbackHandler.java: LoginModuleImpl implements LoginModule interface with methods: - initialize(Subject, CallbackHandler, Map, Map), login(), logout(), commit(), abort() login method creates the callbacks (e.g. NameCallback and PasswordCallback) and calls CallbackHandler.handle method by passing the callbacks. When handle returns, login validates the information.

JAAS Authorization l JAAS authorization extends the existing Java security architecture (policy files) l Authorization is now user-centric by handling Principal-based queries default policy implementation supports Principal-based grant entries access control can now be based not just on what code is running, but also who is running it l In order to be able to do something a user must now first be authenticated

Example: JAAS Authorization... //get the LoginContext and log in // now try to execute the AuthorizedAction as the authenticated Subject Subject.doAs(lc.getSubject(), new AuthorizedAction());... lc.logout(); File: AuthorizedClient.java: package demo.jaas; import java.io.File; import java.security.PrivilegedAction; public class AuthorizedAction implements PrivilegedAction { public Object run() { File f = new File("ProtectedFile.txt"); System.out.print("\nProtectedFile.txt does "); if (!f.exists()) System.out.print("not "); System.out.println("exist."); return null; } } File: AuthorizedAction.java:

Example: JAAS Authorization 2 grant codebase "file:C:/demo/jaas/client_action.jar", Principal demo.jaas.PrincipalImpl "aheusser" { permission java.io.FilePermission "ProtectedFile.txt", "read"; }; File: jaas.policy /* grant the JAAS core library AllPermission */ grant codebase "file:C:/jdk1.3/jre/lib/ext/jaas.jar" { permission java.security.AllPermission; }; /* grant the LoginModule AllPermission */ grant codebase "file:C:/demo/jaas/loginmodule.jar" { permission java.security.AllPermission; }; grant codebase "file:C:/demo/jaas/client.jar" { permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "doAs"; permission java.io.FilePermission "ProtectedFile.txt", "read"; }; File: java.policy

Features and Goals of JAAS l Simple and pluggable authentication Implements the standard PAM framework (Pluggable Authentication Module) Apps need not to be changed if authentication mechanisms are changed l Policy-based authentication Apps need not concern with exact authentication mechanisms used Default login config mechanism is a configuration file l Fine-grained access control capabilities l Authenticate and enforce access controls upon users l Support for user-based, group-based and role-based access controls

Java Security Packages l JAAS (Java Authentication and Authorization Service) l JCE (Java Cryptography Extension) l JSSE (Java Secure Sockets Extension) l GSS API (Generic Security Service) Securely exchanging messages using Kerberos V5 l Certification Path API Allows to build and validate certification paths

Features of JCE l Extends the JCA (Java Cryptography Architecture) l Defines standard encryption APIs l Pluggable framework architecture Enables qualified providers (CSPs) to be plugged in l Jurisdiction policy files Allow strong but limited cryptography to be used

Features of JSSE l Standard socket APIs for SSL and TLS SSL v3 and TLS 1.0 support l Transport level Authentication, Integrity, and Privacy l Utilities for key and certificate management l Cipher suite negotiation SSL “handshaking“ to initiate or verify secure communications l Includes https URL handler l Cryptographic suites including: RSA, RC4, DES, DSA, etc.

Resources for Java Security Java Security l l JAAS l l l l 1.asp 1.asp l

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.