JAAS, Subject and credentials

Similar Messages

• JAAS Authorization and Credentials

  Hi,
  I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.
  My question is: What is the role of a Subject's "credentials" in the authorization scenario?
  From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
  A ProtectionDomain also has an array of Principals rather than credentials.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!
  Any tips gratefully received.

  When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
  A ProtectionDomain also has an array of Principals rather than credentials.Again it doesn't need them. Only the JAAS login module needs them.
  I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
  So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.
  From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to.

• How to get both JDNI context and JAAS Subject with EJB

  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario. The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However, in
  the typical EJB scenario, the client initializes the JNDI context, then does
  the lookup on the bean name (which implicitly does the authentication to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

  In your login module you have to authenticate the user to the Weblogic Server as
  well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
  to login a subject with Weblogic Server.
  Once logged in, any thread that is invoked within the context of a Subject.doAs
  call gets that subject associated with it.
  Hope that helps
  "Allan" <dfusdfsdfsd> wrote:
  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario.
  The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However,
  in
  the typical EJB scenario, the client initializes the JNDI context, then
  does
  the lookup on the bean name (which implicitly does the authentication
  to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

• Error while creating JAAS subject credentials

  Hello,
  I have a client program that runs in a separeate JVM accessing a server (on a different JVM of course). A user name and password is given as inputs to the client program. One of our testers have found out that any user name containing the "@" character seems to mess up the JAAS authentication. For example, as user names,
  sunil.com will work.
  [email protected] will not
  sunil@xyz will not.
  On the client side, I get a
  "nested exception is: org.omg.CORBA.UNKNOWN: vmcid: SUN minor code: 202 completed: Maybe" error and on the server side I see the following
  SEVERE: IOP5035: Error while creating a JAAS subject credential.
  com.sun.enterprise.iiop.security.SecurityMechanismException: Unknown realm
  at com.sun.enterprise.iiop.security.GSSUPToken.<init>(GSSUPToken.java:222)
  at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.createAuthCred(SecServerRequestInterceptor.java:387)
  at com.sun.enterprise.iiop.security.SecServerRequestInterceptor.receive_request(SecServerRequestInterceptor.java:562)
  at com.sun.corba.ee.internal.Interceptors.InterceptorInvoker.invokeServerInterceptorIntermediatePoint(InterceptorInvoker.java:479)
  at com.sun.corba.ee.internal.Interceptors.PIORB.invokeServerPIIntermediatePoint(PIORB.java:810)
  at com.sun.corba.ee.internal.POA.GenericPOAServerSC.internalDispatch(GenericPOAServerSC.java:207)
  at com.sun.corba.ee.internal.POA.GenericPOAServerSC.dispatch(GenericPOAServerSC.java:113)
  at com.sun.corba.ee.internal.iiop.ORB.process(ORB.java:275)
  at com.sun.corba.ee.internal.iiop.RequestProcessor.process(RequestProcessor.java:83)
  at com.iplanet.ias.corba.ee.internal.iiop.ServicableWrapper.service(ServicableWrapper.java:25)
  at com.iplanet.ias.util.threadpool.FastThreadPool$ThreadPoolThread.run(FastThreadPool.java:283)
  at java.lang.Thread.run(Thread.java:536)
  Does any one know if this is expected?

  I'm not using AS.
  I have full permission on the file.
  It's not a non-English environment.
  So I feel it doesn't resemble.
  My environment is on 11.1.0.6.0 and that note applies to Version: 10.1.3.0.0 to 10.1.3.1.0
  Regards,
  S.K.
  Edited by: Santosh Kumar on Oct 7, 2009 4:25 PM

• JAAS Principals and subject

  Hi,
  I am not sure on what is the correct way to use subject and principals for jaas authentication.
  Assume I have my custom Login Module.
  This is the simple unit test I have done:
  // create the header to authenticate.
            HeaderT header = new HeaderT();          
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.USERNAME, "user");
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.PASSWORD, "password");
            LoginContext ctx = new LoginContext("mtosi", new HeaderCallbackHandler(header));          
            //login
            ctx.login();
            header = new HeaderT();          
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.USERNAME, "user2");
            header = HeaderUtils.setNVSInHeader(header, HeaderConstants.PASSWORD, "password2");
            LoginContext ctx2 = new LoginContext("mtosi", new HeaderCallbackHandler(header));
            ctx2.login();
            assertEquals(2, ctx2.getSubject().getPrincipals().size());The header contains the username and password info that are authenticated in a custom LoginModule.
  What I expected was that calling the LoginContext login somehow the different users would have been stored in the subject. So that the second time I would have called the login (on a different insance of Login Context) I would have had the 2 principals authenticated.
  The first Principal gets lot instead.
  What I am missing?
  Where should the Principals have to be stored?
  Does the Login Context maintains a list of the Principals that get authenticated or they are new each time I call a login on a different instance of Login Context?
  thanks
  Edited by: Davide_Gesino on Feb 7, 2008 7:37 AM

  danielm26,
  You can create a class that implements the Pricipal interface, adding anything that you want to it. Populate the object at login method from your LoginModule and add it to the subject object - subject.getPrincipals().add(yourPrincipal).
  In you jsp page you can retrieve this subject as fallows:
  Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
  Then iterate subject.getPrincipal() testing if the Principal object is an instance of your Principal class, cast the found one and be happy.
  Pedro.

• Obtaining JAAS subject in a servlet.

  G'day,
  There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
  Subject s = Subject.getSubject(AccessController.getContext());
  Subject.doAs(s, new PrivilegedAction() {
    public Object run() {
      Subject s1 = Subject.getSubject(AccessController.getContext());
      AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
          Subject s2 = Subject.getSubject(AccessController.getContext());
          return null;
      return null;
  Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
  Is there a similar API for Netweaver AS Java for obtaining the JAAS subject? Or can the JAAS subject be obtained always using the standard Java API?
  Edit I put the above code into a servlet protected by BasicLoginModule, and all three subject objects (s, s1, and s2) were null. I thought that at least 's' would be non-null, but apparently not.
  --Geoff

  G'day,
  Thanks for the link to the JAAS login module section of the SAP Library documentation.
  I have already written a custom JAAS login module (which populates a subject with principals and their credentials), but I am looking for the Netweaver equivalent of JBoss's SecurityAssociation.getSubject() that can be called from any code. I did not find anything suitable while searching through the SAP Library documentation.
  However, I did stumble upon an API that might be useful:
  Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
  if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
    com.sap.security.core.IEngineResourceHelper helper =
        (com.sap.security.core.IEngineResourceHelper) object;
    Subject subject = helper.getCurrentSubject();
  The class name InternalUMFactory suggests that this API may be undocumented or unstable.
  If I have a servlet protected by the BasicLoginModule, and I authenticate to the servlet using a username/password, then the subject returned is a principal with the correct username, and with password credentials.
  If the servlet is not protected by a login module, then the subject returned is "Guest".
  If I put the servlet as an iView within a portal, then the subject returned is "Guest", even though the portal is protected by a login module and authentication is required. I thought here that the Subject for the portal would be propogated to the servlets running in that portal, but maybe my understanding is wrong.
  --Geoff

• Propagating JAAS Subject for startup classes

  Do startup classes have to login before they can access secured
  resources in WLS 6.0? I notice that WLS 6.0 asks for a password before
  starting the server. Is the "subject" created by that login somehow
  propagated to startup class threads (and their thread offspring) or does
  this have to be done manually?
  I want to try to set up startup classes using a security style similar
  to the Unix init process. It starts up as root and then starts its
  services/daemons using something like:
  su - foo-user foo-daemon
  The foo-daemon runs as foo-user and, in Unix, so does every process
  forked by the foo-daemon. I would like to use a parallel approach in
  WLS. Can it be done?
  Thanks,
  Tim Taylor

  Hi,
  That's what I think too. I guess the only way to get the credentials is to
  use a weblogic specific class that allows you to login an user from a servlet/jsp.
  It does returns the Subject instead of a principal, so you can get the credentials...
  seems like we'd need to change the J2EE api to further integrate JAAS with it.
  Welll... back to handling security on my own :\
  Regards,
  Leonardo Bueno
  "Utpal" <[email protected]> wrote:
  I think EJBContext.getCallerPrincipal() and
  HttpServletRequest.getRemoteUser() are the only method
  to get the principal. I don't think subject can be accessed in the
  EJB/Servlet using standard APIs.
  -utpal
  "Leonardo Bueno" <[email protected]> wrote in message
  news:3ef74da0$[email protected]..
  Hi,
  I have to write a security framework for my J2EE application and ithas to
  be
  portable between appservers. I`m thinking about using JAAS andprogrammatic security.
  I`ve written a LoginModule that does user authetication and loads alluser
  credentials.
  These credentials are app specific classes like WindowPermission.
  How can I have access to these credentials from a servlet/EJB? Is therea
  way
  to get the Subject and not just the Principal from a servlet/EJB?
  Thanks,
  Leonardo

• Obtaining the JAAS subject in a portal application?

  G'day,
  Is there a safe method for obtaining the JAAS subject in a portal application?
  There are problems in Java with getting the JAAS subject, as the standard Subject.getSubject() call can return null if called within a privileged action:
  Subject s = Subject.getSubject(AccessController.getContext());
  Subject.doAs(s, new PrivilegedAction() {
    public Object run() {
      Subject s1 = Subject.getSubject(AccessController.getContext());
      AccessController.doPrivileged(new PrivilegedAction() {
        public Object run() {
          Subject s2 = Subject.getSubject(AccessController.getContext());
          return null;
      return null;
  Here, s2 may be null, which is why other app servers have custom approaches (such as JBoss and its SecurityAssociation.getSubject() call).
  In fact, when I try the above code in a portal application (protected by the login module used to access the portal), I get NULL value for each subject s, s1, and s2.
  I have found a Netweaver API that may be useful for obtaining the subject:
  Object object = com.sap.security.core.InternalUMFactory.getEngineResourceHelper();
  if (object != null && object instanceof com.sap.security.core.IEngineResourceHelper) {
    com.sap.security.core.IEngineResourceHelper helper =
        (com.sap.security.core.IEngineResourceHelper) object;
    Subject subject = helper.getCurrentSubject();
  A portal application containing this code will display the following:
  Subject: Principal: tu-1_basic Principal: com.sap.security.api.logon.AuthSchemePrincipal@19b07b7 Private Credential: GSSCredential: name: [email protected] usage: INITIATE_AND_ACCEPT for mechs: 1.2.840.113554.1.2.2 usage:INITIATE_ONLY 1.2.840.113554.1.2.2.3 usage:INITIATE_AND_ACCEPT underlying Kerberos creds: TGT remaining lifetime = 594 Private Credential: com.sap.security.core.server.jaas.SAPLogonTicketCredential@6a527bdd
  However, the class name InternalUMFactory suggests that this API may be undocumented or unstable.
  Is there a documented API in Netweaver AS Java for obtaining the JAAS subject?
  --Geoff

  Hi,
  We can use the following API to get the current role:
  IWDNavigationHelperService wdNavHelperService =
      (IWDNavigationHelperService) WDPortalUtils.getService(IWDNavigationHelperService.KEY);
  String navNode = wdNavHelperService.getCurrentNavNode();
  Regards,
  Ganpati

• JAAS: How can I access the JAAS subject in an EJB?

  Hello,
  I try to understand the JAAS integration in J2EE 1.3.
  I know:
  J2EE defines a role-based container managed authorization for the web and ejb container. Roles, users and their relationship are defined in the realm.
  JAAS has a more sophisticated policy-based authorisation model. Since J2EE1.3 I can define a realm using JAAS having the role-based authorization of the container managed security.
  My question:
  How can I access the JAAS subject object in an EJB or servlet to use the policy-based authorization?
  Thank you for your answers
  Peter

  May be I should redefine my question:
  If I use JAAS as J2EE-Realm, how can I receive the subject?
  All JAAS-Tutorials contains code fragments like
  LoginContext lc = new LoginContext("entryFoo");
      try {
          // authenticate the Subject
          lc.login();
          System.out.println("authentication successful");
          // get the authenticated Subject
          Subject subject = lc.getSubject();But if I use JAAS as J2EE-Realm the container creates the LoginContext.
  Whom can I ask for the subject now?
  There is no such method implemented in the EJBContext, the HttpServlet or HttpServletRequest!
  Peter

• JAAS Subject with stale principals

  I'm trying to figure out how to use JAAS and so far I have a more or less clear understanding of the authentication part. But I have some difficulty with the authorization part. Here is what I don't understand. Upon successful user authentication, a Subject is created and populated with principals that represent different aspects of the user. Those principals can be the user's roles (admin, document editor, document viewer, etc.) or they can be groups that the user is a member of (admins, backup operators, etc.) This information is somehow obtained by the login module right after authentication and used for determining the user's permissions from then on. But what happens if the user's group memebrship or the set of his or her roles changes after authentication? If the principal information comes from, say, an LDAP directory, then such changes will only be seen after the user logs out and logs back in, which is when the LDAP login module can do all the necessary searches to populate the Subject with principals.
  What concerns me is that, if the Subject's principals aren't always up to date, there is risk that the user may have more privileges than what the system administrator thinks they do. Or is this how other security mechanisms work and therefore there is nothing to worry about?
  Thanks.

  In your login module you have to authenticate the user to the Weblogic Server as
  well . For simplicity, Weblogic comes with a class weblogic.security.auth.Authenticate
  to login a subject with Weblogic Server.
  Once logged in, any thread that is invoked within the context of a Subject.doAs
  call gets that subject associated with it.
  Hope that helps
  "Allan" <dfusdfsdfsd> wrote:
  I looked at the JAAS docs and sample, but I'm still confused about
  something. There is a sample of JAAS in a regular, non-EJB scenario.
  The
  client initializes the LoginContext, calls login(), then retrieves the
  Subject (and possibly later does something with Subject.doAs()). However,
  in
  the typical EJB scenario, the client initializes the JNDI context, then
  does
  the lookup on the bean name (which implicitly does the authentication
  to the
  container). How do they work together, thought? I.e., what does the client
  code look like if JAAS authentication is to be used from an EJB client?
  Thank you!

• Is it possible to bypass JAAS authentication and use Authorisation alone?

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

  I have to implement jsp level security (by checking roles) for my JSF application.
  Authentications in my appln are done by a different servers. I don't want to disturb that.
  I have to implement authorisation alone using JAAS.
  Is it possible to bypass JAAS authentication and use Authorisation alone?
  I am using custom login module( implements DatabaseLoginModule) for authorisation.
  Moreover, after logging in, when a user tries to access a secured jsp page, he should NOT be redirected to login page again. Rather the role checks should be done using existing user credentials stored somewhere. How to invoke the custom DataBaseLoginModule without taking user to login screen?
  Any help would be great.
  Thanks,
  Adhil.J

• Loading LDAP groups into WLS JAAS Subject

  Hi,
  I have a 10.1.4.3 OAM webgate+OHS setup to protect weblogic 10.3.2 as described ('1st best option') in this blog below.
  http://fusionsecurity.blogspot.com/2010/01/integrating-oracle-access-manager-oam.html
  In the weblogic security realm, I have the OAM Identity Asserter (REQUIRED), OID Authentication Provider (SUFFICIENT), Default Authenticator (SUFFICIENT), Default Identity Asserter configured in that order.
  A simple JSP app with CLIENT-CERT is deployed to the WLS. After the user is authenticated at OHS Webgate, the OAM Identity asserter is correctly asserting the user (and the obSSOCookie) as can be seen from the logs. The JSP app is getting a valid (non-anoymous) JAAS Subject with a single JAAS principal (of the user).
  But I 'm not sure it is loading the LDAP groups correctly using the OID provider. Are the LDAP groups supposed to be loaded as principals into the JAAS Subject? The user is part of many LDAP groups but only one principal (user itself) is in the JAAS Subject. Are there any additional steps to 'pair' the OAM Identity Asserter with the OID authentication provider as described in the above blog?
  I 'm using weblogic.security.Security.getCurrentSubject() to get the Subject and subject.getPrincipals() to get the principals in the JSP app.
  Thanks.

  Like I said in my post, subject.getPrincipals() has only one entry, the user id. The LDAP groups aren't in the Set returned. I 'm wondering how to debug this or fix it. I 'm wondering if I need to re-associate the domain policy store with LDAP as described here before the LDAP groups will be loaded into the subject.
  http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/cfgauthr.htm#CHDIIJDB

• Hi guys i added a new mail account and now she i click new mail i can see 4 accounts, the first is right below the subject, and it' the old one and the new one, the other one is on its right and it's the old one and the new one. is it normal? Thanks.

  hi guys i added a new mail account and now she i click new mail i can see 4 accounts, the first is right below the subject, and it' the old one and the new one, the other one is on its right and it's the old one and the new one. is it normal? Thanks.

  sorry, correction,
  hi guys i added a new mail account and now if i click new message on the mail field  i can see 4 accounts, the first is right below the subject, and it' the old one and the new one, the other one is on its right and it's the old one and the new one. is it normal? Thanks.

• Setting windows mail as default "Mail To" doesn't work as usual. Opens entire windows mail vs. email new email message with subject and URL inserted

  I have a problem never had B 4. Have installed new Win7 OS many times and imported windows mail. Always when choosing windows mail in FF it worked. Now when doing I get windows mail program opening or if open coming to forefront or screen. Supposed to get a new email message with subject and URL inserted. I have searched many answers fro FF & MS. I have set WinMail as default, add ed same in reg, etc. etc. Still NADA. Any ideas? thanks

  You should post here:
  Microsoft Office forums >
  Word IT Pro Discussions
  S.Sengupta, Windows Entertainment and Connected Home MVP

• Why are emails downloaded with the subject and from address different from what is actually in the email?

  The subject and from address listed in the message pane are totally different from what is in the actual email, viewed either in the preview pane or when the email is opened. The emails are correct when viewed online. For example:
  Email subject A from Sender A - email A
  Email subject B from Sender B - email B
  Email subject C from Sender C - email C
  After downloading to Thunderbird:
  Email subject A from Sender A - email A
  Email subject B from Sender B - email B
  Email subject C from Sender C - email A *** Subject and Sender for C but is actually email A
  This started happening within the past month and appears to be random. Sometimes everything is correct. But more often there are a few that exhibit the above behavior. I have multiple email address downloading from the same domain but this problem seems to occur ostly with my main email account.

  Try to rebuild the index file of the troubled folder.
  Right-click the folder - Properties - Repair Folder