 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / April 2004JAAS and UNIX
Hi, has anyone managed to login into a UNIX system as another principal than the user that runs the application using JAAS? The JNDI-Module returns the corect subject, but when I do a Subject.doAs(subject, action) the user that runs the action remains the user who has started the application. E.g. reading a file that is only readable by the suthenticated user results in a java.io.FileNotFoundException instead of a java.security.AccessControlException and the "java.home" property still points to the home directory of the application runner. Does the runner of the application have to be root? Am I missing something? Regards JK. Okay, it seems I got it all wrong: You can't really do something "on behalf of another user" with JAAS. Even though you call Subject.doAs with an authenticated Subject, the code is still executed in the system environment of the application's owner. Given that and the fact that the applications policy must be a subset of the user specific jaas policy makes JAAS quite a weak tool for authorisation. Regards JK. > Hi, > [quoted text clipped - 16 lines] > Regards > JK. > Okay, it seems I got it all wrong: > > You can't really do something "on behalf of another user" with JAAS. > Even though you call Subject.doAs with an authenticated Subject, the > code is still executed in the system environment of the application's owner. Of course: Java security is separate from OS security. The OS won't allow a program to execute (code) as a different user, unless it executes as a superuser, or it authenticates itself using the operating system. JAAS is used to authenticate a user to your Java code. It does not authenticate a program to the OS. > Given that and the fact that the applications policy must be a subset of > the user specific jaas policy makes JAAS quite a weak tool for > authorisation. It doesn't. JAAS just isn't suited for every kind of authorization. There is a difference between the user running the program (determining the rights a program has), and the user using a program. This distinction is nescessary to create servers. Oscar  SignatureOscar Kind http://home.hccnet.nl/okind/ Java/J2EE Developer email available on website Hi > > Okay, it seems I got it all wrong: > > [quoted text clipped - 19 lines] > rights a program has), and the user using a program. This distinction is > nescessary to create servers. It depends what kind of servers you want. JAAS is adequate for most often used scenario when you have "internet" users not known to host OS. The problem which JK (and I) need to solve is authorization for known users. (like ftp, telnet and many other servers on UNIX do). On UNIX, it is solved with fork()/setuid() and there's no natural equivalent in java for that. That makes java more secure, but cuts us of the possibly rich OS authorization framework. For example one have to use sql database (or XML files/database as in XACL) to keep authorization data even when it is natural to use OS users' database. --- Boris JK have you managed to solve your problem and authenticate the user in Unix. Boris, do you have any ideas on how to do this? I'm attempting to do the same thing without any luck. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.