JAAS
Resource:http://hintcnuie.iteye.com/blog/245239
Authentication, Authorization and Access Control
The primary goal of JAAS is to manage the granting of permissions and performing security checks for those permissions.
1.Authentication
1.1 Concept
Principal is one of identifers of a subject.
Subject is a collection of principals.
Credential is a prove of principal, it could be any type of object.
Authentication:The process to identify subject and attach credentials and principals to a subject.
LoginModule: provide a pluggable way to have system support JAAS.
used for authentication(login, and principals, credentials binding)
(
authentication technology providers interface)
LoginContext:describes the basic methods used to authenticate Subjects and provides a way to develop an
application independent of the underlying authentication technology.
(
Application Interface)
Configuration:determine which LoginModules should be used,
and which ones must succeed in order for the overall authentication to succeed(consits of AppConfigurationEntrys).
CallbackHandler: communicate and interact with users to gather identification information
CallBack: store information gathered by CallbackHandler;
1.2Authentication Progress
Application employ
LoginContext to get a authenticated
Subject. At this time,
LoginContext will ask the
Configuration for the
plugined
LoginModules, and call each
LoginModule to attach
principals and
credentials to
Subject(owned by each LoginModule or LoginContext).
Before each LoginModule attach principals and credentials, there will be a chance for LoginModule to judge whether to attach or not,
it employ
CallbackHandler to collect informations in the
CallBacks. If the collected information is valid, it could do attach now(in LoginContext is commit).
2.Authorization && AccessControl
2.1 Concept
Permission defines what kind of actions on a target.
Permission = Permission Type + Target(permission effect on) + Action(Optional)
Not a subject but principal is assigned to a permission(defined by policy).
Policy: defines which permission are granted to a given security context(principal).(
Deploying time And RunTime)
Authorization: binding permissions to princpals(policy)
Acess Control: access sensitive code employ AccessControler or Security Mananger to check subject have the right to access resources.
ProtectDomain:
encapsulates a set of classes whose instances are granted a set of permissions when being executed on behalf of a given
set of Principals.
2.2 Acess Control Progress
3. Two Extensible Interface
Subject -- Principals -- Permission: Jaas employs Pricipals to decouple the Subject and Principals.
Configuration: support to dynamicly or staticly add/remove/edit LoginModules which attach pricipals to Subject.
It judges which pricipals a Subject could have.
Policy: support to dynamicly or staticly add/remove permissions to a principal.
It judges which permissions a principal could have.
4. JAAS in Tomcat
Realm: as LoginModule,
authenticate a user based on a username and password, adding “roles” to that user if authentication was successful.
defined as
Realm in server.xml
Role: as Principal, defined as
security-role in web.xml
Authenticator: as access controller to take access control function. defined as
login-config in web.xml.
It look down security-constraint to check.