JAAS Authorization and Credentials

Similar Messages

• JAAS, Subject and credentials

  Hi,
  I have to write a security framework for my J2EE application and it has to be
  portable between appservers. I`m thinking about using JAAS and programmatic security.
  I`ve written a LoginModule that does user authetication and loads all user credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is there a way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo

  Hi,
  That's what I think too. I guess the only way to get the credentials is to
  use a weblogic specific class that allows you to login an user from a servlet/jsp.
  It does returns the Subject instead of a principal, so you can get the credentials...
  seems like we'd need to change the J2EE api to further integrate JAAS with it.
  Welll... back to handling security on my own :\
  Regards,
  Leonardo Bueno
  "Utpal" <[email protected]> wrote:
  I think EJBContext.getCallerPrincipal() and
  HttpServletRequest.getRemoteUser() are the only method
  to get the principal. I don't think subject can be accessed in the
  EJB/Servlet using standard APIs.
  -utpal
  "Leonardo Bueno" <[email protected]> wrote in message
  news:3ef74da0$[email protected]..
  Hi,
  I have to write a security framework for my J2EE application and ithas to
  be
  portable between appservers. I`m thinking about using JAAS andprogrammatic security.
  I`ve written a LoginModule that does user authetication and loads alluser
  credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is therea
  way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo

• Jaas authorization

  Hello, friends.
  Help please.
  Is it possible to base jaas authorization and authentication on the database role.
  I use Frank Nimphius DBLoginModule for users authorization and authentication.
  This works fine.
  But all users names must be defined in the application web.xml file.
  But the number of my application users will be increased in the future and i don't know
  their logins. I know that all application users will have database role "app_users only.
  (And all suiccessful authenticated with DBLoginModule users must
  be authorized with my application).
  What can I do in this situation.
  Can I permit access to the application for all users authenticated with LoginModule or
  for all users have been granted with database role "app_users".
  Thank you.

  Thak you for reply, Peter.
  Sorry for my English.I'll try to explain better what i need.
  I use Frank Nimphius DBSystemLoginModule and
  I do not undarstand how to map one jaas role to all database users which have database role app_users for example.
  This works fine if i define individual jaas sequrity role in web.xml for each database user . But it is not the decision because i don't know all application users now.
  But i know that all application users will have database role app_users.
  Another way is to permit access to the application for all successful authenticated with Login Module users.
  Help please.

• How to implement JAAS authorization with the weblogic 8.1 server

  i wrote a code for both the authentication as well as authorization using jaas using the config file and the policy file.
  This code works fine stand alone for the authentication as well as authorization.
  But when i runs this code inside the server (Weblogic 8.1), authorization deos not works according to my policy file. i have given the policy file path in the startWeblogicServer.cmd script. even i have tried to work with my policies in the java.policy file by giving its path in the java.security file. but this is also useless.
  Now, i have doubt that either <b>jaas authorization doesn't work with the weblogic</b>(i am using 8.1) or there is some configuration setting is missing from my side.
  Is there anybody who can help me to come out of this problem. Or tell me authorization alternative in the weblogic. I will really appreciate if anyone can help with the some example code.

  read this
  http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index.html
  http://www.onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• ClassCircularityError in JAAS Authorization with Weblogic Server 10.3

  We are implementing JAAS authorization in which roles and policies are stored in a custom JAAS policy file and users are stored in the embedded LDAP server provided by Weblogic. We are facing problem is authorizing users using the custom policy created.
  We have implemented the JAAS authentication service with weblogic server 10g R3 and user's information stored in embedded LDAP server provided WLS. Given below are the details of implementation for JAAS Authorization:
  Following are the custom classes created:
  1. Custom Principal Class
  public class Principal implements java.security.Principal, java.io.Serializable {
  private String name;
  public Principal() {
  name = "";
  public Principal(String newName) {
  name = newName;
  public boolean equals(Object o) {
  if (o == null)
  return false;
  if (this == o)
  return true;
  if (o instanceof Principal) {
  if (((Principal) o).getName().equals(name))
  return true;
  else
  return false;
  else
  return false;
  public int hashCode() {
  return name.hashCode();
  public String toString() {
  return name;
  public String getName() {
  return name;
  2. Custom Permission Class
  public class ActionPermission extends Permission {
       public ActionPermission(String name) {
            super(name);
       @Override
       public boolean equals(Object obj) {
            if ((obj instanceof ActionPermission)
                      && ((ActionPermission) obj).getName().equals(this.getName())) {
                 return true;
            } else {
                 return false;
       @Override
       public String getActions() {
            return "";
       @Override
       public int hashCode() {
            return this.getName().hashCode();
       @Override
       public boolean implies(Permission permission) {
            if (!(permission instanceof ActionPermission)) {
                 return false;
            String thisName = this.getName();
            String permName = permission.getName();
            if (this.getName().equals("*")) {
                 return true;
            if (thisName.endsWith("*")
                      && permName.startsWith(thisName.substring(0, thisName
                                .lastIndexOf("*")))) {
                 return true;
            if (thisName.equals(permName)) {
                 return true;
            return false;
  Following are the configuration changes:
  1. Added custom policy to weblogic.policy.
  grant Principal com.scotia.security.authorization.Principal "test" <User defined in the embedded LDAP server of WLS>{
  permission com.scotia.security.authorization.permission.ActionPermission "viewScreen";
  2. Set the java security manager in startWeblogic.cmd file.
  %JAVA_HOME%\bin\java %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% -Dweblogic.Name=%SERVER_NAME% -Djava.security.manager -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy %PROXY_SETTINGS% %SERVER_CLASS%
  3. Set Realm "Security Model" to "Custom Roles and Policies".
  Right now we are facing the given below exception:
  java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipal
       at java.lang.Class.forName0(Native Method)
       at java.lang.Class.forName(Class.java:247)
       at sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1381)
       at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1268)
       at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1231)
       at sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1167)
       at sun.security.provider.PolicyFile.implies(PolicyFile.java:1122)
       at weblogic.security.service.WLSPolicy.implies(Unknown Source)
       at java.security.ProtectionDomain.implies(ProtectionDomain.java:213)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:301)
       at java.security.AccessController.checkPermission(AccessController.java:546)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
       at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
       at java.io.File.exists(File.java:731)
       at weblogic.utils.classloaders.DirectoryClassFinder.getSource(DirectoryClassFinder.java:36)
  Please help if anyone has some clue regarding this exception. We tried checking the jdk version used by eclipse and weblogic and found it to be same.

  1. Custom Principal Class
  public class Principal implements java.security.Principal, java.io.Serializable {Rename it. You are asking for trouble naming a class after an interface it implements.
  java.lang.ClassCircularityError: com/scotia/security/authorization/THORPrincipalWhat's that class? You haven't shown us.

• Urgent: JAAS authorization policy file

  Hi.
  I just decided to implement JAAS technology in my 3-tiered application. I did authentication, but can not beleive that the only way to specify authorization is to place all grants in one ore more text files and specify this(ose) file(s) in batch file running my application. I do not think that it is secure. The same for authentication. It is possible to redirect my application to pass through some other LoginModule and so on.
  I gues there is some other way to store jaas config and policy files. Please help me to get that way.
  Thanks in advance,
  Kanan

  the default file-based LoginContext configuration and Policy-based permission files are certainly rudimentary.
  it is for this reason that the javax.security.auth.login.Configuration and java.security.Policy implementations are pluggable. instead of defining only one way of storing the data, it is possible to develop custom implementations to store data in any way a developer desires.
  you can directly subclass either of these abstract classes and then programmatically set your subclass in the VM via the respective "setConfiguration" or "setPolicy" methods. or you can statically specify your custom implementation in the login.configuration.provider or policy.provider security property (set inside the java.security file inside the ~jre/lib/security directory of your installation).
  both of these options should be documented in the Configuration and Policy javadocs.
  in the Configuration case, J2SE 5.0 introduced a new constructor on the javax.security.auth.login.LoginContext class that can take a Configuration object as an input parameter. this gives you extra flexibility for managing login configuration entries per LoginContext.
  your custom implementations would then need to manage the configuration and permission data as it so desires (perhaps in memory, perhaps on a server, or perhaps even in custom files).

• 10.1.3r3 - Enabling JAAS authorization in ADF BC with embedded OC4J

  That's probably the most abstract subject line I've written in this forum yet.
  In JDev 10.1.3r3 I'm attempting to implement JAAS authorization on an entity object in the Entity Object Editor's Authorization page. Via the Tools -> Embedded OC4J Server Preferences -> Global Authentication options I created a new realm "test.com", user "testuser", and role "testrole" allocating "testuser" to this new role. I've not yet defined a Login Config.
  A search of the filesystem shows that these entries have been added to:
  <jdev_home>\jdev\system\oracle.j2ee.10.1.3.34.12\embedded-oc4j\config\jazn-data.xml
  Back in the EO Editor's Authorization page, selecting the New button with the EO name selected in the Define Updateable Permissions list, the Authorizations dialog displays showing the Realm "jazn.com", but not the new "test.com" role.
  A search of the filesystem shows that the jazn.com entries come from:
  <jdev_home>\jdev\system\oracle.j2ee.10.1.3.34.12\embedded-oc4j\config\system-jazn-data.xml
  What am I doing wrong? Why can't I see my new realm in the EO Authorization dialog? Have I got the wrong end of the JDeveloper stick again?
  I've been reading the white paper "J2EE Security in Oracle ADF Web Applications" for help, but as far as I can see it's more concerned with the configuration of security in the ViewController layer than the Model layer.
  JDev team, a couple of things I've noticed:
  1) The help page for the EO Editor's Authorization page has a number of links that aren't working at the bottom of the page and did in 10.1.2. Ditto the "Implementing Authorization in Oracle ADF Business Components" page.
  2) In 10.1.2 under the Tools -> Embedded OC4J Server Preferences -> Global Authentication options, the jazn.com realm is shown as an option, while in 10.1.3r3 it's not.
  Hope somebody can help.
  Cheers,
  CM.

  Chris,
  I filed seeral bugs on this behavior in JDeveloper 9.0.5. The information is needed in the Jdeveloper Home/j2ee/home/config/szstem-jazn-data.xml. I know this doesn't make it intuitive and I filed bugs as mentioned. For production this should be resolved to a more user friendly experience.
  You are correct that the existing security paper deals with view layer seurity and that it needs to be updated for model layer security. In Jdeveloper 10.1.3 we added security on the binding layer as well, which I think is a better place to put it than on individual business services, though there is nothing wrong with this. For production this will be documented in the online help.
  Frank

• JAAS AUthorization in JSF with facelets

  hello hi JSF and JAAS experts,
  I have web application implementing with jsf facelets and tomcat .Now i want to provide security in my application that is some web pages allow for admin and some web pages for user and..... that means based on role of user i want to give the access for web pages. so for that i am using JAAS for authentication and authorization . I am successfully implemented JAAS authentication for who is logged in. And i am getting subject and putting that subject in context session using following snippet.And also i am able to getting subject and its principals in that subject.
        context.getExternalContext().getSessionMap().put("JAASSubject",jaasHelper.getSubject());
         System.out.println("---------------- "+context.getExternalContext().getSessionMap().get("JAASSubject"));finally my doubt is how to navigate the pages(.xhtml) based on this principlas ,, with JAAS authorization. For that what is configuration snippet in web.xml and faces-config.xml.
  for this i gone through documents , but i didt get solution..
  can any body please hint me how to solve my requirement
  thanks in adv ans

  gbabu wrote:
  My doubt is based on that subject , how to write policy file and how to call doAsPrivileged() mehod on that Subject in order to navigate web pages.how to provide web pages permission for particular role in policy file..
  For example i have three pages login.xhtml,user.xhtml,admin.xhtml.
  1> if the logged in person is admin, then we want to display admin.xhtml
  2> if the loggend is person is user , then we want to display user.xhtml
  untill now i did and found who is logged in and what are his type( admin or user) .now i want configure the web.xml and faces-config.xml based on policy fileTo the best of my knowledge, there is nothing in the standard NavigationHandler which accounts for JAAS security. If you wanted, you could create a custom NavigationHandler to do this. If you think the idea is worthy enough, you could issue an enhancement request to the specification ([https://javaserverfaces-spec-public.dev.java.net/]).

• JAAS Authorization - aaaggh

  Hi
  I am struggling with authorization in WLS 8.1. My WL server is backed by an RDBMS
  Realm which is used for username/password authentication. I also have a remote
  JVM which uses JAAS to authenticate a user as required. This works fine. For
  the remote JVM I have created a custom permission and associated that with a principal
  via a policy file, shown below:-
  grant principal weblogic.security.principal.RealmAdapterUser "MyUser"
  permission com.package.security.jaas.MyPermission "logon", "true";
  grant
  permission java.io.FilePermission "<<ALL FILES>>", "read,write";
  permission java.net.SocketPermission "*", "accept,connect,listen,resolve";
  permission java.util.PropertyPermission "*", "read,write";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.io.SerializablePermission "enableSubstitution";
  permission javax.security.auth.AuthPermission "*";
  I have a few questions:
  1) How do I associate the subject from the returned login context with my permission?
  2) I call Security.runAs(subject, myaction) to perform the authorized (or not)
  action. However, regardless of what user I use (authorized and unauthorized that
  belong to different groups) it always passes.
  I don't find the WL 81 docs on authorization particularly useful so does anyone
  know what am I doing wrong.
  TIA
  Matt

  "Matt" <[email protected]> wrote in message
  news:3f379042$[email protected]..
  >
  Hi
  I am struggling with authorization in WLS 8.1. My WL server is backed byan RDBMS
  Realm which is used for username/password authentication. I also have aremote
  JVM which uses JAAS to authenticate a user as required. This works fine.For
  the remote JVM I have created a custom permission and associated that witha principal
  via a policy file, shown below:-
  grant principal weblogic.security.principal.RealmAdapterUser "MyUser"
  permission com.package.security.jaas.MyPermission "logon", "true";
  grant
  permission java.io.FilePermission "<<ALL FILES>>", "read,write";
  permission java.net.SocketPermission "*","accept,connect,listen,resolve";
  permission java.util.PropertyPermission "*", "read,write";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.io.SerializablePermission "enableSubstitution";
  permission javax.security.auth.AuthPermission "*";
  I have a few questions:
  1) How do I associate the subject from the returned login context with mypermission?
  2) I call Security.runAs(subject, myaction) to perform the authorized (ornot)
  action. However, regardless of what user I use (authorized andunauthorized that
  belong to different groups) it always passes.
  I don't find the WL 81 docs on authorization particularly useful so doesanyone
  know what am I doing wrong.
  WLS allows you to use JAAS authorization, but does not provide any support
  other
  than what is in the SDK. Therefore, the steps should be the same whether you
  are in
  a java program or whether running in WLS.
  http://java.sun.com/j2se/1.4.1/docs/guide/security/jaas/tutorials/GeneralAcn
  AndAzn.html
  I think you need to use a doAs instead of a WLS runAs

• I am so angry - there has to be a misundering.  my Itunes was disabled as there was a charge that I did not authorize and I cannot find the phone

  I am so angry - there has to be a misunderstanding.  my Itunes was disabled as there was a charge that I did not authorize and I cannot find the phone number for security and the dingbat girl who I'm emailing send me a link that does not work.  And I am extremely frustrated.   Please help.  I need a phone # to contact security.

  Contact Apple Support here:
  ACCOUNT SECURITY CONTACT NUMBERS
  Cheers,
  GB

• How can I authorize and access my itunes account on a new computer if I cant access my old computer to enable home sharing

  How can I authorize and access my itunes account on a new computer if I cant access my old computer to enable home sharing

  Authorization
  Macs:  iTunes Store- About authorization and deauthorization.
  Windows: How to Authorize or Deauthorize iTunes | PCWorld.
  In iTunes you use the Authorize This Computer or De-authorize This Computer option under the Store menu in iTunes' menubar. For Windows use the ALT-S keys to access it. Or turn on Windows 7 and 8 iTunes menus: iTunes- Turning on iTunes menus in Windows 8 and 7.
  To deauthorize a computer you don't have:
  De-authorizing Computers (contributed by user John Galt)
  You can de-authorize individual computers, but only by using those computers. The only other option is to "de-authorize all" from your iTunes account.
    1. Open iTunes on a computer
    2. From the Store menu, select "View my Account..."
    3. Sign in with your Apple ID and password.
    4. Under "Computer Authorizations" select "De-authorize All".
    5. Authorize each computer you still have, as you may require.
  You may only do this once per year.
  After you "de-authorize all" your authorized computers, re-authorize each one as required.
  If you have de-authorized all computers and need to do it again, but your year has not elapsed, then contact: Apple - Support - iTunes - Contact Us.
  For more information on authorization and de-authorization: iTunes Store- About authorization and deauthorization.

• I have purchased a song and my computer says it is unauthorized to play it.  I give authorization and it says its already authorized.  Then I try to play the song and it wont allow authorization.

  I have purchased a song and my computer says it is unauthorized to play it.  I give authorization and it says its already authorized.  Then I try to play the song and it wont allow authorization.

  Delete and redownload it if doing so is free in your country.
  (71678)

• Vendor, trading parner, authorization and corporate group

  Hi experts!
  Thank you for pay attention to my message! I have a question about the fields in customer master date.
  What does it mean or what will happen to the customer master if I entry a vendor no. or a company ID for trading partner in the field vendor, trading parner, authorization and corporate group in the customer master general data?
  In other words, in which business scenario or situation should I entry data in these fields:
  vendor, trading parner, authorization and corporate group in the customer master general data?
  Thank you for your help!
  TangDark.

  Hi,
  Vendor- when the customer is also a vendor( i.e. supplying any form of product- raw material) you need to enter vendor no.
  Trading partner- If this customer is trading with other company code of the same client.
  Authorization- To protect access of the data maintained
  Corporate group- If customer belongs  to a group ,maintain group key here.
  Thanks,
  Vrajesh

• I purchased a book and downloaded the book on my pc, but I am unable to authorize and transfer this to my other devices

  As mentioned above, I purchased a book and downloaded it on my pc, but I am unable to authorize and transfer this purchase to my other devices.  I downloaded bluefire reader per online instructions and added the pdf book file to this app on itunes.  When I attempt to authorize the purchase by entering my adobe id, it doesn't work, the authorization window clears the fields I just entered, I enter the information again and the same result.

  I tried reviewing my account information but it just came out on itunes home page without showing any thing....