Jaas: Flexible Java Security Mechanism (1)

zhaozj2021-02-16  53

Summary:

Java Authentication Authorization Service (JaaS, Java Verification, and Authorization API) provides a flexible and scalable mechanism to ensure clients or server-side Java programs. The early Safety Framework in Java emphasizes the attack by verifying the source of the code and the author, protecting the user to avoid the attack of the downloaded code. JaaS emphasizes that the system is attacked by users by verifying who is running code and his / her permissions. It allows you to integrate some standard security mechanisms, such as Solaris NIS, Windows NT, LDAP (Lightweight Directory Acquisition Protocol), Kerberos, and the like to be integrated into the system in a system. This article first introduces you some of the core parts of JaaS verification, and then show you how to develop login modules through example.

Have you needed to log in to a module for an app? If you are a more experienced programmer, I believe that you have done many times, and it is not exactly every time. You may be based on your login module on the Oracle database, or it is possible to use NT user authentication, or use the LDAP directory. If there is a way to support all of these security mechanisms mentioned above without changing the application-level code, you must be a lucky thing for programmers.

Now you can use JaaS to implement the above goals. Jaas is a relatively new Java API. In J2SE 1.3, it is an extension package; in J2SE 1.4 becomes a core package. In this article, we will introduce some core concepts of JaaS, then explain how to apply JAAS to the actual program by example. The example of this article is based on our web-based Java application, in this example, we use the relational database to save the user's login information. Due to the use of JaaS, we implemented a robust and flexible login and authentication module.

Java Verification and Authorization: Introduction

Before Jaas appeared, Java's security model was designed to meet the needs of cross-platform network applications. In the earlier version of Java, Java is usually used as a remote code, such as applet ,. Therefore, the initial security model puts the attention to protect the user on the source by verifying the code. The concepts contained in the early Java security mechanism, such as the SERCURITYMANAGER, Sandbox concept, code signature, and strategy files, mostly to protect users.

The emergence of JAAs reflects the evolution of Java. Traditional server / client programs need to implement login and access control, JaaS is validated by the user of the running program to achieve the purpose of the protection system. Although Jaas has the ability to verify and authorize, in this article, we mainly introduce the verification function.

JaaS can simplify program development of Java Security packages by adding an abstract layer between the application and the underlying verification and authorization mechanism. The abstraction layer is independent of the platform to enable developers to use a variety of different security mechanisms without modifying application-level code. Similar to other Java Security APIs, Jaas guarantees that the program is independent of the security mechanism through an extensible framework: Service Provider Interface (SPI). The service provider interface consists of a set of abstractions and interfaces. The overall frame map of the JAAs program is given in Figure 1. Application level code mainly processes logincontext. Below LogInText is a set of dynamic configured loginmodules. LoginModule verifies using the correct security mechanism.

Figure 1 gives an overview of JaaS. The code of the application layer only needs to be derived with LoginContext. Under LoginContext is a set of dynamic configured LoginModule objects, these objects use the relevant security infrastructure to verify operations. Figure 1 JaaS overview

JaaS provides some reference implementation code for LoginModule, such as JNDILoginModule. Developers can also implement the LoginModule interface, just like RDBMSLONGINMODULE in our example. At the same time, we will also tell you how to use a simple profile to install the application.

In order to meet the plugability, Jaas is stacked. In a single sign-on, a set of security modules can be stacked together and then is called in the order in the stack by other security mechanisms.

The implementation of JAAS models JASS models based on some popular security structural patterns and frameworks. For example, stacked properties are very similar to the stacked verification module (PAM, PLUGGABLE Authentication Module) framework under UNIX. From the perspective of the transaction, JAAS is similar to the behavior of the Two-Phase Commit (2PC) protocol. The concept of secure configuration in JaAs (including policy files and permission) comes from J2SE 1.2. Jaas also borrowed many ideas from other mature security frameworks.

转载请注明原文地址:https://www.9cbs.com/read-15410.html

New Post(0)