Presentation is loading. Please wait.

Presentation is loading. Please wait.

Limiting Access to System Properties

Published byThomasina Walker Modified over 6 years ago

Similar presentations

Presentation on theme: "Limiting Access to System Properties"— Presentation transcript:

1 Limiting Access to System Properties

2 Contents Authentication and Authorization Problem Description Solution
JAAS Login Modules

3 I. Authentication and Authorization
JAAS can be used for two purposes: Authentication is concerned with ascertaining the identity of a program user. Authorization maps users to permissions. Login modules in the com.sun.security.auth.module UnixLoginModule NTLoginModule Krb5LoginModule JndiLoginModule KeyStoreLoginModule

4 1. Authentication JAAS authentication is performed in a pluggable fashion. This permits Java applications to remain independent from underlying authentication technologies. New or updated technologies can be plugged in without requiring modifications to the application itself. An implementation for a particular authentication technology to be used is determined at runtime. The implementation is specified in a login configuration file.

5 1.1 The Authentication Code
1.2 The Login Configuration 1.3 Running the Code 1.4 Running the Code with a Security Manager

6 1.1 The Authentication Code
The code for authenticating the user is very simple, consisting of just two steps: Instantiate a LoginContext. Call the LoginContext's login method.

7 Instantiating a LoginContext
import javax.security.auth.login.*; LoginContext lc = new LoginContext( <config file entry name>, <CallbackHandler to be used for user interaction>); import javax.security.auth.login.*; import com.sun.security.auth.callback.TextCallbackHandler; LoginContext lc = new LoginContext( "JaasSample", new TextCallbackHandler() );

8 The arguments are the following:
1. The name of an entry in the JAAS login configuration file This is the name for the LoginContext to use to look up an entry for this application in the JAAS login configuration file, described here. Such an entry specifies the class(es) that implement the desired underlying authentication technology(ies). The class(es) must implement the LoginModule interface, which is in the javax.security.auth.spi package.

9 2. A CallbackHandler instance
When a LoginModule needs to communicate with the user, for example to ask for a user name and password, it does not do so directly. The LoginModule invokes a CallbackHandler to perform the user interaction and obtain the requested information, such as the user name and password. (CallbackHandler is an interface in the javax.security.auth.callback pkg.) TextCallbackHandler DialogCallbackHandler

10 Calling the LoginContext's login Method
Once we have a LoginContext lc, we can call its login method to carry out the authentication process: lc.login(); The LoginContext instantiates a new empty javax.security.auth.Subject object (which represents the user or service being authenticated). The calling application can subsequently retrieve the authenticated Subject by calling the LoginContext's getSubject method.

11

12 1.2 The Login Configuration
The login configuration file jaas.conf JaasSample { com.sun.security.auth.module.NTLoginModule required; }; This entry is named "JaasSample". The entry specifies that the LoginModule to be used to do the user authentication is the NTLoginModule in the com.sun.security.auth.module package is required to "succeed" in order for authentication to be considered successful.

13 1.3 Running the Code 1. Place the JaasAcn.java application source file and the jaas.conf login configuration file into a directory. 2. Compile JaasAcn.java: javac JaasAcn.java 3. Execute the JaasAcn application java - Djava.security.auth.login.config=jaas.conf JaasAcn

14 1.4 Running the Code with a Security Manager
When a Java program is run with a security manager installed: The program is not allowed to access resources or otherwise perform security- sensitive operations unless it is explicitly granted permission to do so by the security policy in effect. In Java platforms that are compatible with J2SE v 1.2 and later, the permission must be granted by an entry in a policy file.

15 1. Place the JaasAcn. java application source file and the jaas
1. Place the JaasAcn.java application source file and the jaas.conf login configuration file into a directory. 2 Compile JaasAcn.java: javac JaasAcn.java 3. Create a JAR file containing JaasAcn.class: jar -cvf JaasAcn.jar JaasAcn.class This command creates a JAR file, JaasAcn.jar, and places the JaasAcn.class file inside it.

16 4. Create a policy file jaasacn
4. Create a policy file jaasacn.policy granting the code in the JAR file the required permission. LoginContext lc = new LoginContext("JaasSample", new TextCallbackHandler()); Thus, the permission that needs to be granted to JaasAcn.jar is permission javax.security.auth.AuthPermission "createLoginContext.JaasSample";

17 5. Execute the JaasAcn application
java -classpath JaasAcn.jar Djava.security.manager Djava.security.policy=jaasacn.policy Djava.security.auth.login.config=jaas.conf JaasAcn

18 java -classpath JaasAcn. jar. -Djava. security. auth. login
java -classpath JaasAcn.jar -Djava.security.auth.login.config=jaas.conf JaasAcn

19 2. Authorization JAAS authorization extends the existing Java security architecture that uses a security policy to specify what access rights are granted to executing code. When an application uses JAAS authentication to authenticate the user (or other entity such as a service), a Subject is created as a result. The purpose of the Subject is to represent the authenticated user. A Subject is comprised of a set of Principals, where each Principal represents an identity for that user. Permissions can be granted in the policy to specific Principals.

20 The basic format of a grant statement is
grant <signer(s) field>, <codeBase URL> , <Principal field(s)> { permission perm_class_name "target_name", "action"; permission perm_class_name "target_name", "action"; }; A Principal field looks like the following: Principal Principal_class "principal_name"

21

22 To create and associate a Subject with an access control context
The user must first be authenticated. The static doAs method from the Subject class must be called, passing it an authenticated Subject and a java.security.PrivilegedAction or java.security.PrivilegedExceptionAct ion. The doAs method associates the provided Subject with the current access control context and then invokes the run method from the action.

23 The static doAsPrivileged method from the Subject class may be called instead of the doAs method.
In addition to the parameters passed to doAs, doAsPrivileged requires a third parameter: an AccessControlContext. Unlike doAs, which associates the provided Subject with the current access control context, doAsPrivileged associates the Subject with the provided access control context.

24

25

26 Running the application
javac JaasAcn.java SampleAction.java jar -cvf JaasAcn.jar JaasAcn.class jar -cvf SampleAction.jar SampleAction.class java -classpath JaasAcn.jar;SampleAction.jar Djava.security.auth.login.config=jaas.conf JaasAcn

27 II. Problem Description
Develop a program that allows (authorizes) a certain user on the machine to access system properties with the prefix “user.” only

28 III. Solution 1. Authentication Configuration File
2. Authorization Policy File 3. Developing the Login-Do-Logout Class 4. Developing the Privileged Action Class 5. Running the Application

29 1. Authentication Configuration File

30 2. Authorization Policy File

31 3. Developing the Login-Do-Logout Class

32 4. Developing the Privileged Action Class

33 5. Running the Application
javac *.java jar cvf login.jar Main.class jar cvf action.jar SystemPropertyAction.class java -classpath login.jar;action.jar -Djava.security.policy=Authorization.policy -Djava.security.auth.login.config=jaas.config Main

34 IV. JAAS Login Modules Implementing your own login module
Supplying your own login module is useful if you store login information in a database. Implementing role-based authentication Role-based authentication is essential if you manage a large number of users. It would be impractical to put the names of all legitimate users into a policy file. Instead, the login module should map users to roles such as "admin" or "HR," and the permissions should be based on these roles.

35 Preparing Login Information
Structure of the file <username>|<password>|<role>

36 The Authentication File
options

37 The Authorization Policy File

38

39

40

41

42

43

44

45 Running the Application
javac *.java Jar cvf login.jar JAAS*.class Simple*.class jar cvf action.jar SystemPropertyAction.class java -classpath login.jar;action.jar -Djava.security.policy=Authorization.policy -Djava.security.auth.login.config=jaas.config JAASTest

Download ppt "Limiting Access to System Properties"

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.

17 Copyright © 2005, Oracle. All rights reserved. Deploying Applications by Using Java Web Start.
Cognos Web Services Business Intelligence. SOA SOA (Service Oriented Architecture) The SOA approach involves seven key principles: -- Coarse -grained.

Cognos Web Services Business Intelligence. SOA SOA (Service Oriented Architecture) The SOA approach involves seven key principles: -- Coarse -grained.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & email) Java Security on the Browser Java Security in the Enterprise.

Java Security. Overview Hermetically Sealed vs. Networked Executable Content (Web Pages & ) Java Security on the Browser Java Security in the Enterprise.
Understanding WebLogic Security

Understanding WebLogic Security
Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.

Object-Oriented Enterprise Application Development Tomcat 3.2 Configuration Last Updated: 03/30/2001.
Distributed Application Development B. Ramamurthy.

Distributed Application Development B. Ramamurthy.
OSGi: Open Services Gateway Initiative Richard Chapman 5 Sept. 2002.

OSGi: Open Services Gateway Initiative Richard Chapman 5 Sept
Applying OO Concepts Using Java. In this class, we will cover: Overriding a method Overloading a method Constructors Mutator and accessor methods The.

Applying OO Concepts Using Java. In this class, we will cover: Overriding a method Overloading a method Constructors Mutator and accessor methods The.
Delivering Excellence in Software Engineering ® 2006. EPAM Systems. All rights reserved. ASP.NET Authentication.

Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.

1 ASP.NET SECURITY Presenter: Van Nguyen. 2 Introduction Security is an integral part of any Web-based application. Understanding ASP.NET security will.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Java Authentication and Authorization Service (JAAS)

Java Authentication and Authorization Service (JAAS)
Security in Java Sunesh Kumra S

Security in Java Sunesh Kumra S
Java Security Shmuel Babad CEO MidLink Computing LTD

Java Security Shmuel Babad CEO MidLink Computing LTD
Using JavaBeans and Custom Tags in JSP Lesson 3B / Slide 1 of 37 J2EE Web Components Pre-assessment Questions 1.The _____________ attribute of a JSP page.

Using JavaBeans and Custom Tags in JSP Lesson 3B / Slide 1 of 37 J2EE Web Components Pre-assessment Questions 1.The _____________ attribute of a JSP page.
AN OVERVIEW OF SERVLET TECHNOLOGY SERVER SETUP AND CONFIGURATION WEB APPLICATION STRUCTURE BASIC SERVLET EXAMPLE Java Servlets - Compiled By Nitin Pai.

AN OVERVIEW OF SERVLET TECHNOLOGY SERVER SETUP AND CONFIGURATION WEB APPLICATION STRUCTURE BASIC SERVLET EXAMPLE Java Servlets - Compiled By Nitin Pai.

Similar presentations

Ads by Google