Jaas: Flexible Java Security Mechanism (2)

zhaozj2021-02-16  56

The JAAS developers of the client and server-side can apply JAAS to the client and server. It is easy to use Jaas in the client. The situation is more complicated when using JAAS in the server side. The JaaS product currently in the application server market is still not very consistent, and there are some subtle differences using Jaas J2EE application servers. For example, JBOSSSX uses its own structure to integrate JaAs into a bigger security framework; while WebLogic 6.x has also used JaaS, the security framework is completely different.

Now you can understand why we need to look at Jaas from the perspective of the client and server. We will list the examples in both cases. In order to make the server-side examples of examples easier, we use the RESIN application server.

Core JaaS class

Before using Jaas, you first need to install JaaS. Jaas has been included in J2SE 1.4, but there is no in J2SE 1.3. If you want to use J2SE 1.3, you can download Jaas from the official site of Sun. When JaAs is installed correctly, you will find Jaas.jar in the LIB directory of the installation directory. You need to add the path into the classpath. (Note: If you have installed the application server, it already includes JaaS, read the help document of the application server to get more detailed information). In Java Security Property file java.security, you can change some system properties related to JAAS. This file is saved in the / lib / security directory.

Using JAAS authentication in your application usually involves the following steps:

1. Create an instance of LogInText.

2. In order to obtain and process verification information, transfer a callbackHandler object as a parameter to LogInContext.

3. Verify by calling the logincontext's login () method.

4. Implement some special features by using the Subject object returned using the login () method (assuming login success).

Here is a simple example:

LoginContext lc = new LoginContext ( "MyExample"); try {lc.login ();} {. // Authentication failed} catch (LoginException) // Authentication successful, we can now continue.// We can use the returned Subject if We like.subject sub = lc.getsubject (); Subject.doas (Sub, new myprivilegedaction ());

When running this code, the background is working.

1. When initialization, the LoginContext object first finds the MyExample item in the JAAS configuration file, and then the content of this item determines which LoginModule object is loaded (see Figure 2).

2. When logging in, the LogInText object calls the login () method of each LoginModule object.

3. Each login () method verifies the verification operation or gets a CallbackHandle object.

4. The CallbackHandle object interacts with the user with one or more Callback methods to obtain user input.

5. Fill in the verification information to a new Subject object.

We will make further explanations on the code. But before this, let's first look at the core JaAs class and interface involved in the code. These classes can be divided into three types:

Ordinary type Subject, Principal, Voucher

Verify LoginContext, LoginModule, CallbackHandler, Callback Authorized Policy, Authpermission, PrivateCredentialPermission

Most of the classes and interfaces listed above are in the Javax.Security.Auth package. In J2SE 1.4, there are also some interface implementations in the com.sun.security.Auth package.

Ordinary type: Subject, Principal, Voucher

The Subject class represents a verification entity that can be a user, an administrator, a web service, a device, or another process. This class contains three-medium type security information:

Identities: indicated by one or more Principal objects

Public Credentials: For example, name or public secret

Private Credentials: For example, password or private key

The Principal object represents the identity of the Subject object. They implements Java.security.principal and java.io.serializable interfaces. In the Subject class, the most important method is getName (). This method returns an identity name. A plurality of Principal objects are included in the Subject object, so it can have multiple names. Due to the login name, the ID number, and the email address can be used as the user's identity, it can be seen that the situation with multiple identity names is very common in practical applications.

The credentials mentioned above are not a specific class or an excuse, which can be any object. The voucher can contain any authentication information required for a particular security system, such as a tag (Ticket), key, or password. A set of specific private and public credentials are maintained in the Subject object, which can be obtained by getPrivateCredentials () and getPubliccredentials () methods. These methods are usually called in the application layer in the application layer.

Verification: logincontext

In the application layer, you can use the LogInText object to verify the Subject object. The LoginContext object also reflects the dynamic pluggage of JaaS because you need to specify a configuration when you create an instance of loginContext. LoginContext usually loads configuration information from a text file, telling the LoginContext object which loginmodule object when logging in.

The following is listed below three methods that are often used in loginContext:

Login () is logged in. This method activates all LoginModule objects established in the configuration. If successful, it will create a verified Subject object; otherwise throw the loginexception exception.

GetSubject () Returns the validated Subject object

Logout () Logout Subject object, delete the Principal object and credentials associated with it

Verification: LoginModule

LoginModule is an interface to call a specific verification mechanism. J2EE 1.4 contains the implementation classes of the following LoginModule:

JNDILOGINMODULE is used to verify directory services configured in JNDI

Krb5LoginModule verifies using the Kerberos protocol

NtLoginModul authenticates using the current user in NT

UNIXLoginModule uses the current user to verify the user information in Unix, which is bound to the above module, has a corresponding clarion of the corresponding Principal interface, such as NTDomainPrincipal and UNIXPrIncipal. These classes are in the com.sun.security.Auth.

Five methods in the LoginModule interface:

Initialize () will be constructed when creating a loginmodule instance

Login () verification

Commit () This method will be called when the LGONInContext object receives all LoginModule objects. This method assumes the Principal object and the voucher to the Subject object.

Abort () This method is called when any LoginModule object verification fails. There is no Principal object or credentials associated with the Subject object.

Logout () Deletes the Principal object and credentials associated with the Subject object.

In the application's code, programmers usually do not directly call the methods listed above, but indirectly call these methods through LigonContext.

Verification: CallbackHandler and Callback

CallbackHandler and Callback objects allow the loginmodule object to collect the necessary verification information from the system and the user, while the interaction process that occurs when the actual collection information is collected.

JAAS contains seven Callback implementation class and two classes in javax.sevurity.auth.callback CallbackHandler implementation package: ChoiceCallback, ConfirmationCallback, LogcaleCallback, NameCallback, PasswordCallback, TextInputCallback, TextOutputCallback, DialogCallbackHandler and TextCallBackHandler. The Callback interface will only be used on the client. I will introduce how to write your own CallbackHandler class.

转载请注明原文地址:https://www.9cbs.com/read-15409.html

New Post(0)