6 Replies Latest reply: Jul 19, 2011 12:42 AM by EJP RSS

    JAAS Authorization and Credentials

    876328
      Hi,

      I am adapting an access control system to operate as a JAAS authentication and authorization service. There is a lot of doco covering creation of custom authentication but far less on the authorization side. Any pointers welcome.

      My question is: What is the role of a Subject's "credentials" in the authorization scenario?

      From what I can see a Subject's credentials aren't even available to the authorization service under JAAS? When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
      A ProtectionDomain also has an array of Principals rather than credentials.

      I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials. Is there a way? I could just use my credential class as a Principal (with some minor changes) but the information in my class does not represent an idenity, it is a "credential"!

      Any tips gratefully received.
        • 1. Re: JAAS Authorization and Credentials
          EJP
          When application code calls methods such as SecurityManager.checkPermission() it seems that a Subject's Principals are passed down to the authorization engine (the Policy) but not the Subject's credentials.
          The Subject's public credentials are available via Subject.getPublicCredentials if the JAAS login module has set them up. But the Policy shouldn't need them at this stage. The Subject has already been authenticated by the JAAS login module. All the Policy should be is interested in is what this Subject can do. The credentials aren't for that, they are for authenticating his identity. See below for further discussion.
          A ProtectionDomain also has an array of Principals rather than credentials.
          Again it doesn't need them. Only the JAAS login module needs them.
          I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.
          You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.

          So you write a JAAS LoginModule that inspects the credentials, Principal, name etc and adds RolePrincipals to the subject according to what he is now allowed to do. Then your custom Policy just looks for the appopriate Principal in the Subject. If there, OK, if not, bang you're dead.

          From one point of view this is an efficiency measure. From another point of view it is an essential normalization. You could have millions of credential sets that all map to the same role. And you certainly don't want your Policy to be concerned with individual credentials, only with the Roles they map to.
          • 2. Re: JAAS Authorization and Credentials
            876328
            Thanks for the quick response, EJP.
            I think I'm a little clearer on the role of credentials in the JAAS world now.
            EJP wrote:
            I would like to base the access decisions made by the authorization engine (a custom Policy) on a Subject's credentials.
            You should base it on the Subject itself and its Principals. Specifically the idea is that he has one or more RolePrincipals that name the roles he is allowed to act as in the application.
            I can't base my access decisions on the Subject because that's not made available to the Policy, as far as I can see. (If it was I could get the credentials.)

            I also don't want to use role-based principals, partly because a Subject's roles can change dynamically in our access control environment, and partly because our security model is more complex.

            Within our access control environment authentication creates a "session" object assigned to a particular account. Access decisions are made within the context of this session. In my JAAS implementation, authentication attaches our session to the Subject as a credential but, from what you say, this sounds inappropriate.

            If I attach the session object to a Subject as a Principal I will have access to it within the Policy and can use it to obtain access decisions from our server. Does that sound reasonable or am I hammering square pegs into round holes?
            • 3. Re: JAAS Authorization and Credentials
              EJP
              I can't base my access decisions on the Subject because that's not made available to the Policy, as far as I can see.
              The DomainCombiner of the applicable AccessControlContext should be castable to a SubjectDomainCombiner, which has a getSubject() method. In any case alll the Subject's Principals should be available directly.
              I also don't want to use role-based principals, partly because a Subject's roles can change dynamically in our access control environment
              Even while he's logged in?
              If I attach the session object to a Subject as a Principal I will have access to it within the Policy and can use it to obtain access decisions from our server.
              Yep. Anything you like can be a Principal, just implement the interface, and use it however you want.
              • 4. Re: JAAS Authorization and Credentials
                876328
                Thanks again, EJP.
                EJP wrote:
                I also don't want to use role-based principals, partly because a Subject's roles can change dynamically in our access control environment
                Even while he's logged in?
                Yes, even while he's logged in. An administrator needs to be able to terminate a session if a rogue user starts misbehaving.
                • 5. Re: JAAS Authorization and Credentials
                  EJP
                  I would have thought you could do that directly assuming you are using Container Managed Authentication, just change his roles and invalidate the session.
                  • 6. Re: JAAS Authorization and Credentials
                    876328
                    EJP wrote:
                    I would have thought you could do that directly assuming you are using Container Managed Authentication, just change his roles and invalidate the session.
                    The access control service handles various application architectures, not just web apps.