User Authentication

The Java Authentication and Authorization Service (JAAS) is a part of Java SE 1.4 and beyond. The "authentication" part is concerned with ascertaining the identity of a program user. The "authorization" part maps users to permissions.

 

JAAS is a "pluggable" API that isolates Java applications from the particular technology used to implement authentication. It supports, among others, UNIX logins, NT logins, Kerberos authentication, and certificate-based authentication.

 

Once a user has been authenticated, you can attach a set of permissions. For example, here we grant Harry a particular set of permissions that other users do not have:

 

grant principal com.sun.security.auth.UnixPrincipal "hejian"
{
   permission java.util.PropertyPermission "user.*", "read";
   . . .
};

 

 

The com.sun.security.auth.UnixPrincipal class checks the name of the UNIX user who is running this program,Its getName method returns the UNIX login name,and we check whether that name equals "hejian".You use a LoginContext to allow the security manageer to check such a grant statement.Here is the basic outline of the login code:

 

try
{
   System.setSecurityManager(new SecurityManager());
   LoginContext context = new LoginContext("Login1"); // defined in JAAS configuration file
   context.login();
   // get the authenticated Subject
   Subject subject = context.getSubject();
   . . .
   context.logout();
}
catch (LoginException exception) // thrown if login was not successful
{
   exception.printStackTrace();
}

 

 

Now the subject denotes the individual who has been authenticated.

 

The string parameter "Login1" in the LoginContext constructor refers to an entry with the same name in the JAAS configuration file.Here is a sample configuration file:

 

Login1
{
   com.sun.security.auth.module.UnixLoginModule required;
   com.whizzbang.auth.module.RetinaScanModule sufficient;
};

Login2
{
   . . .
};

  

Of course,the JDK contains no biometric login modules.The following modules are supplied in the 

com.sun.security.auth.module package:

 

 

UnixLoginModule
NTLoginModule
Krb5LoginModule
JndiLoginModule
KeyStoreLoginModule

 

A login policy consists of a sequence of login modules,each of which is labeled required,sufficient,requisite,or optional.The meaning of these keywords is given by the following algorithm:

 

1.The modules are executed in turn,until a sufficient module succeeds,a requisite module fail,or the end of the module list is reached.

 

2. Authentication is successful if all required and requisite modules succeed,or if none of them were executed,if at least one sufficient or optional module succeeds.

 

A login authenticates a subject,which can have multiple principals. A principal describes some property of subject,such as the user name,group ID,or role,As you saw in the grant

statement,principals govern permissions,The com.sun.security.auth.UnixPrincipal describes the UNIX login name,and the unixNumericGroupPrincipal can test for membership in a UNIX group.

 

A grant clause can test for a principal,with the syntax

 

grant principalClass "principalName"

For example :

 

grant com.sun.security.auth.unixPrincipal "hejian"

 

When a user has logged in,you then run,in a seperate access control context,the code that requires checking of principals.use the static doAs or doAsPrivileged method to start a new PrivilegedAction whose run method executes the code.

 

PrivilegedAction<T> action = new
   PrivilegedAction()
   {
      public T run()
      {
        // run with permissions of subject principals
         . . .
      }
   };
T result = Subject.doAs(subject, action); // or Subject.doAsPrivileged(subject, action, null)

					  

 

If the actions can throw checked exceptions,then you implement the PrivilegedExceptionAction interface instead.

 

The difference between the doAs and doAsPrivileged method is subtle.The doAs method starts out with the current access control context,whereas the doAsPrivileged method starts out with a new context.

The latter method allows you to separate the permissions for the login code and the "business logic."In our example application,the login code has permissions

 

permission javax.security.auth.AuthPermission "createLoginContext.Login1";
permission javax.security.auth.AuthPermission "doAsPrivileged";

 

The authenticated user has a permission

 

permission java.util.PropertyPermission "user.*", "read";

 

If we had used doAs instead of doAsPrivileged,then the login code would have also needed that permission!

 

The AuthenticateTest program should now display the value of the user.home property.However,if you change the login name in the auth.policy file,then a security exception should be thrown because you no longer have the required permission.

 

Caution!

               Be careful to follow these instructions exactly.It is very easy to get the setup wrong by making seemingly innocuous changes.

 

Code View:

 

package com.tojaoomy.security;

import java.security.PrivilegedAction;

import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

public class AuthenticateTest {

	public static void auth(){
		System.setProperty("java.security.policy", "security/auth.policy");
		System.setProperty("java.security.auth.login.config", "security/jaas.config");
		System.setSecurityManager(new SecurityManager());
		
//		System.out.println(System.getProperty("user.dir"));
		
		try {
			LoginContext context = new LoginContext("Login1");
			context.login();
			System.out.println("Authentication successful");
			Subject subject = context.getSubject();
			System.out.println("Subject : " + subject);
			PrivilegedAction<String> action = new SysPropAction("user.home");
			String result = Subject.doAsPrivileged(subject, action, null);
//			String result = Subject.doAs(subject, action );
			System.out.println(result);
			context.logout();
		} catch (LoginException e) {
			e.printStackTrace();
		}
		
	}
	/**
	 * @param args
	 */
	public static void main(String[] args) {
		// TODO Auto-generated method stub
		auth();
	}

}

 

 

package com.tojaoomy.security;

import java.security.PrivilegedAction;

public class SysPropAction implements PrivilegedAction<String> {

	private String propertyName;
	
	public SysPropAction(String propertyName) {
		this.propertyName = propertyName;
	}
	@Override
	public String run() {
		return System.getProperty(propertyName); 
	}

}

 

 

grant 
{
	permission javax.security.auth.AuthPermission "createLoginContext.Login1";
	permission javax.security.auth.AuthPermission "doAsPrivileged";
	permission javax.security.auth.AuthPermission "doAs";
};

grant principal com.sun.security.auth.NTUserPrincipal "hejian"
	  principal com.sun.security.auth.NTDomainPrincipal "DOMRST"
{
   permission java.util.PropertyPermission "user.*", "read";
};

 

 

Login1
{
	com.sun.security.auth.module.NTLoginModule required;
};

 

Because my computer environment is window7,so you should use the NT Prefix,else yours is Unix,

the Unix prefix is instead.

 

Here is my test result:

 

Authentication successful
Subject : Subject:
 Principal: NTUserPrincipal: hejian
 Principal: NTSidUserPrincipal: S-1-5-21-3707767768-4261598023-2969272642-9184
 Principal: NTDomainPrincipal: DOMRST
 Principal: NTSidDomainPrincipal: S-1-5-21-3707767768-4261598023-2969272642
 Principal: NTSidPrimaryGroupPrincipal: S-1-5-21-3707767768-4261598023-2969272642-513
 Principal: NTSidGroupPrincipal: S-1-1-0
 Principal: NTSidGroupPrincipal: S-1-5-32-544
 Principal: NTSidGroupPrincipal: S-1-5-32-545
 Principal: NTSidGroupPrincipal: S-1-5-4
 Principal: NTSidGroupPrincipal: S-1-2-1
 Principal: NTSidGroupPrincipal: S-1-5-11
 Principal: NTSidGroupPrincipal: S-1-5-15
 Principal: NTSidGroupPrincipal: S-1-5-5-0-265371
 Principal: NTSidGroupPrincipal: S-1-2-0
 Principal: NTSidGroupPrincipal: S-1-5-21-3707767768-4261598023-2969272642-1144
 Principal: NTSidGroupPrincipal: S-1-5-21-3707767768-4261598023-2969272642-9236
 Principal: NTSidGroupPrincipal: S-1-16-12288
 Public Credential: NTNumericCredential: 712

C:\Users\hejian.DOMRST