Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / February 2005

Tip: Looking for answers? Try searching our database.

Granting getSubject permission as narrowly as possible?

Thread view: 
Enable EMail AlertsStart New Thread
Laird Nelson - 28 Feb 2005 17:24 GMT
I have a test case that calls, among other things, this code fragment,
after successfully authenticating a Subject:

  final Subject subject =
    AccessController.doPrivileged(new
PrivilegedExceptionAction<Subject>() {
      public final Subject run() throws Exception {
        return Subject.getSubject(AccessController.getContext());
      }
    });

I have placed the call in a doPrivileged() block because I only want to
have to grant the javax.security.auth.AuthPermission "getSubject" to
*my* code, not to any code that might call it.

Finally, I am of course running everything with the
-Djava.security.manager property set.

However, when I run the test case that contains this call, the
AccessController pukes saying that *Ant* (my build tool)--which is
running JUnit, which is running my test case--doesn't have the requisite
permission.

What's the general idiom or pattern or series of steps for acquiring a
Subject when you're in the presence of a SecurityManager?

Thanks,
Laird
Reply to this Message
Laird Nelson - 28 Feb 2005 18:04 GMT
> What's the general idiom or pattern or series of steps for acquiring a
> Subject when you're in the presence of a SecurityManager?

OK, I've resolved the access control issues.  Now I've got a different
problem.

Here is a code snippet from my test case:

    // ... do a successful LoginContext.login()...

    // See who we just authenticated and make sure he's not null.
    final Subject subject = context.getSubject();
    assertNotNull(subject);

    // Succeeds up to here, because authentication worked.

    // See if the Subject we just authenticated is somehow propagated
    // to the current access control context.
    final Subject anotherSubject =
      AccessController.doPrivileged(new
PrivilegedExceptionAction<Subject>() {
        public final Subject run() throws Exception {
          return Subject.getSubject(AccessController.getContext());
        }
      });
    // Oops; this fails; anotherSubject is null!
    assertEquals(subject, anotherSubject);

So supposing I'm in a section of my application where I don't have a
handle on the LoginContext: how can I get the Subject who was
authenticated?  I was under the impression the above was the way to do
it but clearly I am mistaken.

Laird
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.