L8 JAAS

advertisement
Java Authentication and
Authorization Service (JAAS)
Valentina Casola
Introduction
• The Java Authentication and Authorization Service (JAAS)
was introduced as an optional package (extension) to the
Java 2 SDK, Standard Edition (J2SDK), v 1.3.
• JAAS was integrated into the J2SDK 1.4.
• JAAS can be used for two purposes:
– for authentication of users, to reliably and securely determine who
is currently executing Java code, regardless of whether the code is
running as an application, an applet, a bean, or a servlet; and
– for authorization of users to ensure they have the access control
rights (permissions) required to do the actions performed.
Introduction (2)
• Traditionally Java has provided codesource-based
access controls (access controls based on where
the code originated from and who signed the
code).
• It was not able to enforce access controls based on
who runs the code.
• JAAS provides a framework that augments the
Java security architecture with such support.
• It implements a Java version of the standard
Pluggable Authentication Module (PAM)
framework
Features
• JAAS provides pre-defined modules
• It is possible to develop or import new
modules
JAAS pluggable
• JAAS is pluggable; this permits applications to remain
independent from underlying authentication technologies.
• Any authentication technology can be plugged under an
application without requiring modifications to the
application itself.
• The process:
– Applications enable the authentication process by instantiating a
LoginContext object, which referes to a Configuration to
determine the authentication technology, or LoginModule, to be
used in performing the authentication
Authorization phase
• Once the user or service executing the code has been
authenticated, the JAAS authorization component works in
conjunction with the core Java SE access control model to
protect access to sensitive resources.
• Access control decisions are based both on the executing
code's CodeSource and on the user or service running the
code, who is represented by a Subject object.
• The Subject is updated by a LoginModule with relevant
Principals and credentials if authentication succeeds.
Authentication example
• SampleAcn.java contains a sample application class
(SampleAcn) and another class used to handle user input
(MyCallbackHandler).
• SampleLoginModule.java is the class specified by the
login configuration file as the class implementing the
desired underlying authentication. SampleLoginModule's
user authentication consists of simply verifying that the
name and password specified by the user have specific
values.
• SamplePrincipal.java is a sample class implementing the
java.security.Principal interface. It is used by
SampleLoginModule.
LoginModules
JndiLoginModule
Verifies against a directory service
configured under JNDI (Java
Naming and Directory Interface)
Krb5LoginModule
Kerberos Protocol
NTLoginModule
Uses NT user information to
authenticate
UnixLoginModule
Uses UNIX user information to
authenticate
LoginModule: methods
initialize()
Chiamato dopo la creazione dell’oggetto
login()
Effettua l’autenticazione
commit()
Chiamato dopo l’autenticazione dal LoginContext. Qui si assegnano
Principals e Credenziali al Subject.
abort()
Chiamato quando fallisce l’autenticazione snche se nelle prime fasi.
Non vengono assegnati Principals e Credenziali al Subject.
logout()
Rimuove Principals e Credenziali associate al Subject.
•Devono essere implementati dal programmatore
•Non vengono utilizzati dal livello applicativo, ma dal LoginContext
Authentication: CallbackHandlers
and Callbacks
• CallbackHandlers and Callbacks enable the LoginModule
to gather user credentials.
• JAAS provides 7 built-in Callbacks in the
javax.security.auth.callback package:
–
–
–
–
–
–
–
ChoiceCallback,
ConfirmationCallback,
LocaleCallback,
NameCallback,
PasswordCallback,
TextInputCallback,
TextOutputCallback.
Configuration files
Hanno la seguente struttura:
Application {
ModuleClass Flag
ModuleClass Flag
...
};
Application {
ModuleClass Flag
...
};
...
ModuleOptions;
ModuleOptions;
ModuleOptions;
Un esempio:
Sample {
com.sun.security.auth.module.NTLoginModule Required debug=true;
};
Subjects and Principals
• The JAAS framework defines the term
subject to represent the source of a request.
A subject may be any entity, such as a
person or a service.
• Once the subject is authenticated, a
javax.security.auth.Subject is populated
with associated identities, or Principals.
• A Subject may have many Principals.
SampleAcn File
• That file contains two classes:
– The SampleAcn Class,
– The MyCallbackHandler Class,
• The main method of the SampleAcn class
performs the authentication and then reports
whether or not authentication succeeded. The code
for authenticating the user is very simple,
consisting of just two steps:
– Instantiate a LoginContext;
– Call the LoginContext's login method;
1. Instantiating a LoginContext
import javax.security.auth.login.*;
...
LoginContext lc =
new LoginContext(<config file entry name>, <CallbackHandler to be
used for user interaction>);
This is the name for the LoginContext to use to look up
an entry for this application in the JAAS login configuration file (sample_jaas.config); it
specifies the class that implements the desired underlying authentication technology.
When a LoginModule needs to communicate with the user to ask for a user
name and password, it does not do so directly; LoginModule invokes a
javax.security.auth.callback.CallbackHandler to perform the user interaction and
obtain the requested information, such as the user name and password.
2. Calling the LoginContext's login()
• Once we have a LoginContext lc, we can call its login method to carry
out the authentication process:
– lc.login();
1. The LoginContext instantiates a new empty javax.security.auth.Subject
object (which represents the user or service being authenticated).
2. The LoginContext constructs the configured LoginModule (in our case
SampleLoginModule) and initializes it with this new Subject and
MyCallbackHandler.
3. The LoginContext's login method then calls methods in the
SampleLoginModule to perform the login and authentication.
4. The SampleLoginModule will utilize the MyCallbackHandler to obtain
the user name and password.
5. Then the SampleLoginModule will check that the name and password
are the ones it expects
6. If authentication is successful, the SampleLoginModule populates the
Subject with a Principal representing the user.
Putting all togheter
import javax.security.auth.login.*;
...
LoginContext lc = new LoginContext("Sample", new MyCallbackHandler());
lc.login();
------------------------------- file sample_jaas.config ----------------------------
/** Login Configuration for the JAAS Sample Application **/
Sample {
sample.module.SampleLoginModule
};
required
debug=true;
SampleLoginModule File
• SampleLoginModule.java implements the
LoginModule interface. SampleLoginModule is the
class specified in the configuration file as the class
implementing the desired underlying authentication.
• SampleLoginModule's user authentication consists of
simply verifying that the name and password specified
by the user have specific values.
• If authentication is successful, the SampleLogin
Module populates a Subject with a SamplePrincipal
representing the user.
Running the code
javac sample/SampleAcn.java
sample/module/SampleLoginModule.java
sample/principal/SamplePrincipal.java
java -Djava.security.auth.login.config= =sample_jaas.config
sample.SampleAcn
User: testUser
Pass: testPassword
Authorization phase
• JAAS authorization extends the existing
Java security architecture that uses a
security policy to specify what access rights
are granted to executing code:
BEFORE JAAS:
grant codebase "file:./SampleAcn.jar" {
permission javax.security.auth.AuthPermission
"createLoginContext.Sample";
};
Authorization phase (2)
• JAAS authorization augments the existing code-centric access controls
with new user-centric access controls. Permissions can be granted
based not just on what code is running but also on who is running it.
• When an application uses JAAS authentication to authenticate the user
(or other entity such as a service), a Subject is created as a result. The
purpose of the Subject is to represent the authenticated user. A Subject
is comprised of a set of Principals, where each Principal represents an
identity for that user.
• Permissions can be granted in the policy to specific
Principals.
• The Java runtime will automatically determine whether the policy
grants the required permission only to a specific Principal and if so, the
operation will be allowed only if the Subject associated with the access
control context contains the designated Principal.
Example
• // Java 2 codesource-based policy
grant Codebase "http://foo.com", Signedby "foo" {
permission java.io.FilePermission "/cdrom/-", "read";
}
• // JAAS principal-based policy
grant Codebase "http://bar.com, Signedby "bar",
Principal bar.Principal "duke" {
permission java.io.FilePermission "/cdrom/duke/-", "read";
}
Example (2)
• This example allows to the code:
– loaded by 'bar.com‘
– signed by 'bar',
– and executed by ‘'duke‘
….to read only the files included in the '/cdrom/duke‘ directory.
• The Subject authenticated in the LoginContext must be
associated to a Prinicipal whose getName method returns
‘duke’.
• The policy must specify the information Codebase and
SygnedBy, too.
Authorization steps
•
To make JAAS authorization take place,
the following is required:
1. The user must be authenticated.
2. Principal-based entries must be configured in
the security policy.
3. The Subject that is the result of authentication
must be associated with the current access
control context.
Principal-Based Policy File Statements
The basic format of a grant statement is:
grant <signer(s) field> , <codeBase URL>
<Principal field(s)> {
permission perm_class_name "target_name“ , "action";
....
permission perm_class_name "target_name“ , "action";
};
Example: sampleazn.policy
grant codebase "file:./SampleAction.jar",
Principal sample.principal.SamplePrincipal
{
permission java.util.PropertyPermission
permission java.util.PropertyPermission
permission java.io.FilePermission
};
"testUser"
"java.home", "read";
"user.home", "read";
"foo.txt",
"read";
Create and associate a Subject with
the current access control context
1. After user authentication, the static doAs method from the
Subject class must be called, passing it an authenticated
Subject and a java.security.PrivilegedAction;
2. The doAs method associates the provided Subject with the
current Access Control Context and then invokes the run
method from the action.
3. The run method implementation contains all the code to be
executed as the specified Subject. The action thus executes
as the specified Subject.
• The static doAsPrivileged method from the Subject class
may be called instead of the doAs method. In addition to
the parameters passed to doAs, doAsPrivileged requires a
third parameter: an AccessControlContext.
Putting all togheter
Subject mySubject = lc.getSubject();
PrivilegedAction action = new SampleAction();
Subject.doAsPrivileged(mySubject, action, null);
The doAsPrivileged method invokes execution of the run method in the
PrivilegedAction action (SampleAction) to initiate execution of the rest of the
code, which is considered to be executed on behalf of the Subject mySubject.
References
• JAAS Reference Guide:
http://java.sun.com/javase/6/docs/technotes/
guides/security/jaas/JAASRefGuide.html
• JAAS Authentication Tutorial
• JAAS Authorization Tutorial
Download