JAAS Authorization - aaaggh

Similar Messages

• How to implement JAAS authorization with the weblogic 8.1 server

  i wrote a code for both the authentication as well as authorization using jaas using the config file and the policy file.
  This code works fine stand alone for the authentication as well as authorization.
  But when i runs this code inside the server (Weblogic 8.1), authorization deos not works according to my policy file. i have given the policy file path in the startWeblogicServer.cmd script. even i have tried to work with my policies in the java.policy file by giving its path in the java.security file. but this is also useless.
  Now, i have doubt that either <b>jaas authorization doesn't work with the weblogic</b>(i am using 8.1) or there is some configuration setting is missing from my side.
  Is there anybody who can help me to come out of this problem. Or tell me authorization alternative in the weblogic. I will really appreciate if anyone can help with the some example code.

  read this
  http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index.html
  http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html

• Jaas authorization

  Hello, friends.
  Help please.
  Is it possible to base jaas authorization and authentication on the database role.
  I use Frank Nimphius DBLoginModule for users authorization and authentication.
  This works fine.
  But all users names must be defined in the application web.xml file.
  But the number of my application users will be increased in the future and i don't know
  their logins. I know that all application users will have database role "app_users only.
  (And all suiccessful authenticated with DBLoginModule users must
  be authorized with my application).
  What can I do in this situation.
  Can I permit access to the application for all users authenticated with LoginModule or
  for all users have been granted with database role "app_users".
  Thank you.

  Thak you for reply, Peter.
  Sorry for my English.I'll try to explain better what i need.
  I use Frank Nimphius DBSystemLoginModule and
  I do not undarstand how to map one jaas role to all database users which have database role app_users for example.
  This works fine if i define individual jaas sequrity role in web.xml for each database user . But it is not the decision because i don't know all application users now.
  But i know that all application users will have database role app_users.
  Another way is to permit access to the application for all successful authenticated with Login Module users.
  Help please.

• ClassCircularityError in JAAS Authorization with Weblogic Server 10.3

  We are implementing JAAS authorization in which roles and policies are stored in a custom JAAS policy file and users are stored in the embedded LDAP server provided by Weblogic. We are facing problem is authorizing users using the custom policy created.
  We have implemented the JAAS authentication service with weblogic server 10g R3 and user's information stored in embedded LDAP server provided WLS. Given below are the details of implementation for JAAS Authorization:
  Following are the custom classes created:
  1. Custom Principal Class
  public class Principal implements java.security.Principal, java.io.Serializable {
  private String name;
  public Principal() {
  name = "";
  public Principal(String newName) {
  name = newName;
  public boolean equals(Object o) {
  if (o == null)
  return false;
  if (this == o)
  return true;
  if (o instanceof Principal) {
  if (((Principal) o).getName().equals(name))
  return true;
  else
  return false;
  else
  return false;
  public int hashCode() {
  return name.hashCode();
  public String toString() {
  return name;
  public String getName() {
  return name;
  2. Custom Permission Class
  public class ActionPermission extends Permission {
       public ActionPermission(String name) {
            super(name);
       @Override
       public boolean equals(Object obj) {
            if ((obj instanceof ActionPermission)
                      && ((ActionPermission) obj).getName().equals(this.getName())) {
                 return true;
            } else {
                 return false;
       @Override
       public String getActions() {
            return "";
       @Override
       public int hashCode() {
            return this.getName().hashCode();
       @Override
       public boolean implies(Permission permission) {
            if (!(permission instanceof ActionPermission)) {
                 return false;
            String thisName = this.getName();
            String permName = permission.getName();
            if (this.getName().equals("*")) {
                 return true;
            if (thisName.endsWith("*")
                      && permName.startsWith(thisName.substring(0, thisName
                                .lastIndexOf("*")))) {
                 return true;
            if (thisName.equals(permName)) {
                 return true;
            return false;
  Following are the configuration changes:
  1. Added custom policy to weblogic.policy.
  grant Principal com.scotia.security.authorization.Principal "test" <User defined in the embedded LDAP server of WLS>{
  permission com.scotia.security.authorization.permission.ActionPermission "viewScreen";
  2. Set the java security manager in startWeblogic.cmd file.
  %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.manager -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS%
  3. Set Realm "Security Model" to "Custom Roles and Policies".
  Right now we are facing the given below exception:
  java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipal
       at java.lang.Class.forName0(Native Method)
       at java.lang.Class.forName(Class.java:247)
       at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1381)
       at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1268)
       at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1231)
       at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1167)
       at sun.security.provider.PolicyFile.implies(PolicyFile.java:1122)
       at weblogic.security.service.WLSPolicy.implies(Unknown Source)
       at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
       at java.security.AccessController.checkPermission(AccessController.java:546)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
       at java.io.File.exists(File.java:731)
       at weblogic.utils.classloaders.DirectoryClassFinder.getSource(DirectoryClassFinder.java:36)
  Please help if anyone has some clue regarding this exception. We tried checking the jdk version used by eclipse and weblogic and found it to be same.

  1. Custom Principal Class
  public class Principal implements java.security.Principal, java.io.Serializable {Rename it. You are asking for trouble naming a class after an interface it implements.
  java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipalWhat's that class? You haven't shown us.

• 10.1.3r3 - Enabling JAAS authorization in ADF BC with embedded OC4J

  That's probably the most abstract subject line I've written in this forum yet.
  In JDev 10.1.3r3 I'm attempting to implement JAAS authorization on an entity object in the Entity Object Editor's Authorization page. Via the Tools -> Embedded OC4J Server Preferences -> Global Authentication options I created a new realm "test.com", user "testuser", and role "testrole" allocating "testuser" to this new role. I've not yet defined a Login Config.
  A search of the filesystem shows that these entries have been added to:
  <jdev_home>\jdev\system\oracle.j2ee.10.1.3.34.12\embedded-oc4j\config\jazn-data.xml
  Back in the EO Editor's Authorization page, selecting the New button with the EO name selected in the Define Updateable Permissions list, the Authorizations dialog displays showing the Realm "jazn.com", but not the new "test.com" role.
  A search of the filesystem shows that the jazn.com entries come from:
  <jdev_home>\jdev\system\oracle.j2ee.10.1.3.34.12\embedded-oc4j\config\system-jazn-data.xml
  What am I doing wrong? Why can't I see my new realm in the EO Authorization dialog? Have I got the wrong end of the JDeveloper stick again?
  I've been reading the white paper "J2EE Security in Oracle ADF Web Applications" for help, but as far as I can see it's more concerned with the configuration of security in the ViewController layer than the Model layer.
  JDev team, a couple of things I've noticed:
  1) The help page for the EO Editor's Authorization page has a number of links that aren't working at the bottom of the page and did in 10.1.2. Ditto the "Implementing Authorization in Oracle ADF Business Components" page.
  2) In 10.1.2 under the Tools -> Embedded OC4J Server Preferences -> Global Authentication options, the jazn.com realm is shown as an option, while in 10.1.3r3 it's not.
  Hope somebody can help.
  Cheers,
  CM.

  Chris,
  I filed seeral bugs on this behavior in JDeveloper 9.0.5. The information is needed in the Jdeveloper Home/j2ee/home/config/szstem-jazn-data.xml. I know this doesn't make it intuitive and I filed bugs as mentioned. For production this should be resolved to a more user friendly experience.
  You are correct that the existing security paper deals with view layer seurity and that it needs to be updated for model layer security. In Jdeveloper 10.1.3 we added security on the binding layer as well, which I think is a better place to put it than on individual business services, though there is nothing wrong with this. For production this will be documented in the online help.
  Frank

• JAAS AUthorization in JSF with facelets

  hello hi JSF and JAAS experts,
  I have web application implementing with jsf facelets and tomcat .Now i want to provide security in my application that is some web pages allow for admin and some web pages for user and..... that means based on role of user i want to give the access for web pages. so for that i am using JAAS for authentication and authorization . I am successfully implemented JAAS authentication for who is logged in. And i am getting subject and putting that subject in context session using following snippet.And also i am able to getting subject and its principals in that subject.
        context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
         System.out.println("---------------- "+context.getExternalContext().getSessionMap().get("JAASSubject"));finally my doubt is how to navigate the pages(.xhtml) based on this principlas ,, with JAAS authorization. For that what is configuration snippet in web.xml and faces-config.xml.
  for this i gone through documents , but i didt get solution..
  can any body please hint me how to solve my requirement
  thanks in adv ans

  gbabu wrote:
  My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
  For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
  1> if the logged in person is admin, then we want to display admin.xhtml
  2> if the loggend is person is user , then we want to display user.xhtml
  untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]).

• Enabling JAAS Authorization in BC4J ,getUserPrincipalName()

  The Jdeveloper Help states the following:-
  Currently, BC4J does not have an authorization framework. However, if your application uses JAAS for authentication, >>you can implement your own authorization. To pass JAAS user information to your authorization code: Obtain the JAAS->>authenticated username from your application module by calling the method.
  :- ApplicationModule.getUserPrincipalName()I have successfully implemented JAAS and just want to show the username in a JSP page.
  I have imported oracle.jbo in to my JSP and tried to access the method getUserPrincipalName but I get the following error
  Error(12,40): class getUserPrincipalName not found in interface oracle.jbo.ApplicationModule
  I have also checked the oracle,jbo documentation and can not find any reference to this method.
  Where am I going wrong?
  JSP :-
  <%@ page import="oracle.jbo.*" language="java" errorPage="errorpage.jsp" contentType="text/html;charset=windows-1252" %>
  <%@ taglib uri="/webapp/DataTags.tld" prefix="jbo" %>
  <html>
  <head>
  <META NAME="GENERATOR" CONTENT="Oracle JDeveloper">
  <LINK REL=STYLESHEET TYPE="text/css" HREF="bc4j.css">
  <TITLE>User Info</TITLE>
  </head>
  <body>
  <jbo:ApplicationModule id="Mypackage1Module" definition="Project2.Mypackage1Module" releasemode="Stateful" />
  <p>
  <%= new ApplicationModule.getUserPrincipalName() %></p>
  <jbo:ReleasePageResources />
  </body>
  </html>

  Colin,
  You need to create a custom method on your application module that returns the user principal name, then make your custom method remotable. If your application module is called BizModule, and your BC4J package is called biz, this is how you do it.
  1. Create a custom method in BizModuleImpl.java, something like:
      public String returnUserName()
         return getUserPrincipalName();
      2. Edit your application module. In the app module editor, go to the Client Methods tab and move returnUserName into the selected list. This creates an interface, BizModule.java.
  3. Add code to your JSP to call your custom method. First add the correct import statements to the page tag:
      <%@ page contentType="text/html;charset=windows-1252" import="oracle.jbo.*, biz.common.*"%>
      Then add the code to return an application module instance and call your custom method. In this example the id parameter in the ApplicationModule tag is "am" (<jbo:ApplicationModule id="am"...).
      <%
         BizModule bizAm = (BizModule)am.useApplicationModule();
         String userName = bizAm.returnUserName();
      %>
      I hope this helps
  Blaise
  4. Now the Java variable userName contains the user principal name and you can use it in your JSP code.

• Jaas authorization in JBoss 4.2.3

  Hi,
  i need to use JAAS for authentication and authorization in JBoss. I've done the following.
  conf/login-config.xml ==>
  <application-policy name = "jaas3">
  <authentication>
  <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
  <module-option name="dsJndiName">java:jdbc/usm</module-option>
  <module-option name="principalsQuery">SELECT password FROM principals WHERE principalid=?</module-option>
  <module-option name="rolesQuery">SELECT principalid, 'Roles' FROM roles WHERE principalid=?</module-option>
  </login-module>
  </authentication>
  </application-policy>
  database tabes ==>
  principals --> principalid, password
  roles --> principalid, role, rolegroup
  realm in server.xml ==>
  <Realm className="org.apache.catalina.realm.JAASRealm" appName="jaas3"
  userClassNames="com.ttt.auth.Jaas3Users" roleClassNames="com.ttt.auth.Jaas3Role" useContextClassLoader="true"/>
  auth.conf ==>
  jaas3{
       com.ttt.auth.Jaas3LoginModule required;
  jboss-web.xml ==>
  <security-domain flushOnSessionInvalidation="true">java:/jaas/jaas3</security-domain>
  web.xml ==>
       <login-config>
            <auth-method>FORM</auth-method>
  <realm>jaas3</realm>
            <form-login-config>
                 <form-login-page>/login.jsp</form-login-page>
                 <form-error-page>/login-failure.jsp</form-error-page>
            </form-login-config>
       <security-role>
            <role-name>admin</role-name>
       </security-role>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Admin page</web-resource-name>
                 <url-pattern>/admin.jsp</url-pattern>
                 <http-method>GET</http-method>
  <http-method>POST</http-method>
  <http-method>HEAD</http-method>
            </web-resource-collection>
            <auth-constraint>
            <role-name>admin</role-name>
            </auth-constraint>
       </security-constraint>     
       </login-config>     
  login.jsp ==>
       <form action="j_security_check" method="post">
            <p>Username:<input type="text" name="j_username"/></p>
  <p>password:<input type="text" name="j_password"/></p>
  <input type="submit" name="btnSubmit" value="LOGIN"/>
       </form>
  I access the admin.jsp which is protected. I'm directed to the login page.
  The use is successfuly authenticated. but authorization fails always. I always get a 'Access denied' pge displayed, even for the admin user, who is grented access to the admin page.
  There are no logs in the server too.
  It's been a week since when i'm breaking my head over this issue. Please help me find what went wrong or what i've missed.
  Thanks,

  Has anyone ever implemented a simple web page authorization with Jaas?
  Please do help me by posting a sample code
  or suggest me a better security tool to use

• Jaas Authorization in jboss without using policy file

  HI,
  i am working on j2ee application in which i am using jaas for authentication and authorization.
  authentication is done but in authorization i dont want to use
  policy file because roles can be added it is not predefined so jaas should refer database for roles names and permissin i.e action class(URL permission) that are accesible to the user.
  how to implement this using jaas?
  pl can u help me to solve this problem.

  Has anyone ever implemented a simple web page authorization with Jaas?
  Please do help me by posting a sample code
  or suggest me a better security tool to use

• Urgent: JAAS authorization policy file

  Hi.
  I just decided to implement JAAS technology in my 3-tiered application. I did authentication, but can not beleive that the only way to specify authorization is to place all grants in one ore more text files and specify this(ose) file(s) in batch file running my application. I do not think that it is secure. The same for authentication. It is possible to redirect my application to pass through some other LoginModule and so on.
  I gues there is some other way to store jaas config and policy files. Please help me to get that way.
  Thanks in advance,
  Kanan

  the default file-based LoginContext configuration and Policy-based permission files are certainly rudimentary.
  it is for this reason that the javax.security.auth.login.Configuration and java.security.Policy implementations are pluggable. instead of defining only one way of storing the data, it is possible to develop custom implementations to store data in any way a developer desires.
  you can directly subclass either of these abstract classes and then programmatically set your subclass in the VM via the respective "setConfiguration" or "setPolicy" methods. or you can statically specify your custom implementation in the login.configuration.provider or policy.provider security property (set inside the java.security file inside the ~jre/lib/security directory of your installation).
  both of these options should be documented in the Configuration and Policy javadocs.
  in the Configuration case, J2SE 5.0 introduced a new constructor on the javax.security.auth.login.LoginContext class that can take a Configuration object as an input parameter. this gives you extra flexibility for managing login configuration entries per LoginContext.
  your custom implementations would then need to manage the configuration and permission data as it so desires (perhaps in memory, perhaps on a server, or perhaps even in custom files).

• JAAS Authorization and Credentials

  Hi,
  I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.
  My question is: What is the role of a Subject's "credentials" in the authorization scenario?
  From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
  A ProtectionDomain also has an array of Principals rather than credentials.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!
  Any tips gratefully received.

  When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
  A ProtectionDomain also has an array of Principals rather than credentials.Again it doesn't need them. Only the JAAS login module needs them.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
  So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.
  From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to.

• JAAS Authorization - Application Module

  I created a project based on the BC4J technology. The application module is configured for using the security : jbo.security.enforce=Must. This application module is also configured to deploy the user/password.
  When I used this application through a web application, I don't meet any problem.
  If I create a POJO class in the same project as BC4J in which I instantiate an instance in the application module pool, I receive the following message :
  oracle.jbo.JboException: JBO-29000: Unexpected exception caught: oracle.jbo.JboException, msg=JBO-33021: Failed authenticate user null.
  The java class in charge of instantiating the application module pool and get an instance of it works without any problem as soon as the security is not implemented.
  Hereafter you can find the method used :
  public ApplicationModule getApplicationModule()
  try{
  PoolMgr poolMgr = PoolMgr.getInstance();
  this.lg_ApplPool = poolMgr.findPool( this.lg_configPackage + "." + this.lg_configName, // name of the pool
  this.lg_configPackage, // name of the package
  this.lg_configName, // name of the configuration
  null);
  // SessionCookie Creation
  String timeStamp = (new java.util.Date()).toString();
  // for web application, replace timeStamp by ip address of the client
  this.lg_Cookie = lg_ApplPool.createSessionCookie(this.lg_applicationId,timeStamp,null);
  CordaEnvInfoProvider lEnvInfoProvider = new CordaEnvInfoProvider ("xxx","xxx");
  // this.lg_Cookie = lg_ApplPool.createSessionCookie(this.lg_applicationId,timeStamp,null);
  this.lg_Cookie.setEnvInfoProvider(lEnvInfoProvider);
  ApplicationModule lAM = this.lg_Cookie.useApplicationModule();
  return lAM;
  catch(Exception e)
  System.out.println("_CrdAppModulePoolMgr - exception : " + e.getMessage());
  e.printStackTrace();
  return null;
  After Having search quite a long time to find a solution, I have no more idea. The only thing I see now is to forget about Jaas if the application module has not to be used by a Java client not being a JClient (Swing) or a Web application.
  Could you let me know if
  1. jaas works with java client not being Swing or web application
  2. if so, could you give me more information about how to work with BC4J application module and security enforce to Must ?
  N.B.
  POJO Client :
  public class TestAppModulePoolMgr
  private ApplicationModule lg_Am = null;
  private CrdAppModulePoolMgr  lgCrdAppModulePoolMgr = null;
  private ApplicationPool lg_ApplPool = null;
  private SessionCookie lg_Cookie = null;
  public TestAppModulePoolMgr()
  this.lg_CrdAppModulePoolMgr = _CrdAppModulePoolMgr.getCrdAppModulePoolMgr();
  this.lg_CrdAppModulePoolMgr.setApplicationId("CrdGenerationAppModuleId");
  this.lg_CrdAppModulePoolMgr.setConfigName("_CrdGenerationAppModuleLocal");
  this.lg_CrdAppModulePoolMgr.setConfigPackage("CORDA_BSV");
  this.lg_Am = lg_CrdAppModulePoolMgr.getApplicationModule();
  this.lg_ApplPool = lg_CrdAppModulePoolMgr.getApplicationPool();
  this.lg_Cookie = lg_CrdAppModulePoolMgr.getApplicationSessionCookie();
  * @param args
  public static void main(String[] args)
  TestAppModulePoolMgr testAppModulePoolMgr = new TestAppModulePoolMgr();
  }

  Thank you.
  I use SSO authentication to test my application so have no users defined.
  Can I use the test-all user? If so, what is the password?

• J_security_check, JAAS, password expiration, account locking and portals

  J2EE form-based authentication will redirect an unauthenticated user trying to connect to a secured resource to a login page and will 1) send the user to the originally requested page upon successful authentication OR 2) send the user to the error page in the event of authentication failure. There are a couple of problems that I have with this implementation - not with j_security_check specifically, but with the pattern generally.
  There are several events that a Portal must manage beyond simple authentication validation. Specifically
  - Notify a user after successful authentication that their account has been locked and they must contact someone to get it unlocked.
  - Notify a user after successful authentication that their password is about to expire and offer them a choice between changing their password immediately or proceeding to the requested resource.
  - Notify a user after successful authentication that their password has expired and require that they change it before proceeding to the requested resource.
  - Notify a user after successful authentication that they don't have rights to access to the requested resource even though they've been successfully authenticated and offer to redirect them to a page that they are authorized to access.
  I am currently investigating a scheme to solve these problems by using servlets for the login and error 'pages', having these servlets forward to different .JSP's based on roles, and writing some sort of JAAS module to add an access (authorization) role based on the password and account lock status.
  Has anyone else worked on this kind of problem? Are there any efforts to extend the J2EE specifications to handle these alternate flows in the j_security_check activity.
  I'm frustrated with each of the different container providers handling the JAAS Authorization differently. Further, since the j_security_check doesn't discuss how the server tracks the original request, each container provider has used a custom mechanism for keeping the original URI as j_security_check activity proceeds.
  One final gripe, since the J2EE specification does not specify how to deal with JAAS, and further define a mechanism to getting the Subject associated with the current ServletRequest, all providers have done this differently too. Perhaps this was avoided as a 'non-goal', but wouldn't it have been nice to state that 'should a provider decide to offer JAAS based security, the implementation must...'?

  I understand this problem... I dont know whether I have term this as a "Feature" or a "Drawback".
  I have handled this problem differently in my project.
  Scenario: When user does normal login
  1. User is displayed a home page. During this process, I create a session variable "Initialized".
  2. I check for this session variable in all the pages. If this session variable is missing then I redirect to the home page which in turn creates the "Initialize" variable in the session.
  Scenarion: Session time out happens in Page 3
  1. User will be taken to login page.
  2. Typically scenarion, when user is authenticated successfully, Page 3 is displayed.
  3. I check for the session variable "Initialize" in Page 3. This "Initialize" variable will not be available due to session expiry.
  4. I redirect my page to "Home Page" which inturn creates session variable "Initialize".
  5. This solution solved the problem of showing home page when user does the login

• Jaas + custom policy

  I want to source my JAAS policy files from a database.
  I extended java.security.Policy and I can dynamically assign permissions to a codesource. I also have JAAS authorization running without any problems. What I can't figure out is how I can associate a dynamic principal with a protection domain so that getPermissions(ProtectionDomain) will magically work with Subject.doAs without re-writing half of sun.security. Has anyone accomplished something like this? I'm concentrating on 1.4, altho I'm not above using a 1.3 specific solution.

  I think I've worked it out (I don't think anyone cares anymore though). This post is just up here so people hit it when they search.
  If you subclass Policy and set it (e.g. using Policy.setPolicy or with properties files), then you implment the
  boolean implies(ProtectionDomain dom, Permission perm)Method, then it pretty much works!
  Whenever you do some action with Subject.doAsPrivileged, for example, an array or principals is given you your implies method available in the ProtectionDomain, i.e. with
  boolean implies(ProtectionDomain dom, Permission perm)
    Principal[] prins = dom.getPrincipals();
    for (int i = 0; i < prins.length; i++)
       if (prins[i] instanceof MyPrincipal) {
         MyPrincipal p = (MyPrincipal) prins;
  return UserPermissions.getPermissionSetFor(p).contains(perm); // or something. Havn't worked out exactly what happens here
  return false;
  I think that's how it works.
  Here's some code I wrote to test these ideas out. When you run it, you notice that none of the other Policy methods (getPermissions() in particular) are ever called.
  import javax.security.auth.Subject;
  import java.security.Policy;
  import java.security.PrivilegedAction;
  import java.io.FileInputStream;
  import java.io.File;
  import java.io.IOException;
  import java.util.Set;
  import java.util.HashSet;
  import java.util.logging.Logger;
  public class JaasExperiment {
      public static void main(String args[])
          Policy.setPolicy(new MyPolicy());
          Set pubcred = new HashSet();
          Set privcred = new HashSet();
          Set princips = new HashSet();
          princips.add(new MyPrincipal("keith"));
          Subject keith = new Subject(false, princips, pubcred, privcred);
          Subject.doAsPrivileged(keith, new MyAction(), null);
          Set mprincips = new HashSet();
          mprincips.add(new MyPrincipal("michelle"));
          Subject michelle = new Subject(false, mprincips, pubcred, privcred);
          Subject.doAsPrivileged(michelle, new MyAction(), null);
          Logger.global.info("Finished");
      private static class MyAction implements PrivilegedAction
          public Object run() {
               try {
                  FileInputStream in = new FileInputStream(new File("src/JaasExperiment.java"));
                  int ch;
                  while ((ch = in.read()) != -1)
                      System.out.print((char)ch);
                  in.close();
              } catch (IOException e) {
                  e.printStackTrace();
              return null;
  import java.security.*;
  import java.util.logging.Logger;
  public class MyPolicy extends Policy
      boolean checking = true;
      private static Logger log = Logger.getLogger("MyPolicy");
      static {
          log.info("MyPolicy loaded");
      public PermissionCollection getPermissions(ProtectionDomain domain) {
          log.info("getPermissions domain:"+domain.toString());
          return null;
      public PermissionCollection getPermissions(CodeSource codesource)
          log.info("getPermissions codewsource:"+codesource);
          return null;
      public boolean implies(ProtectionDomain domain, Permission permission) {
          //log.entering("MyPolicy", "implies");
          log.finest("Domain codsource is:"+domain.getCodeSource().toString());
          log.fine("Permission "+ permission.getClass().getName() +":"+permission.getName() + " Requested");
          if (domain instanceof Object) {
              Object o = (Object) domain;
          Principal[] ppls= domain.getPrincipals();
          for (int i=0; i < ppls.length; i++)
              log.info("Principal "+i+" is " + ppls.getName());
  if (checking)
  checking = false;
  //log.info("Domain:"+domain.toString());
  //log.info("permission:"+permission.toString());
  //log.exiting("MyPolicy", "implies");
  return true;
  public void refresh()
  import java.security.Principal;
  public class MyPrincipal implements Principal{
  private final String name;
  public MyPrincipal(String name)
  this.name = name;
  public String getName() {
  return name;

• Bypass JAAS Login Module

  Hello together,
  we need to build a new call from oracle Forms to new JSP PAGE ( made in ADF).
  That means, we create a new HTTP Request from Forms and read the Request Parameters, such username and password in the called JSP Page.
  We are using JAAS Authorization which works fine, but her comes the Problem:
  We would like to use the request parameters to authorize in JAAS automatically without any Login Screen (Login Module)
  Is there any Solution.
  Regards
  Arni

  Hi Frank,
  so there is no Chance to bypass the login Screen ?